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Quantum cryptography or quantum key distribution (QKD) applies fundamental laws of 
quantum physics to guarantee secure communication. The security of quantum cryptog- 
raphy was proven in the last decade. Many security analyses are based on the assumption 
that QKD system components are idealized. In practice, inevitable device imperfections 
may compromise security unless these imperfections are well investigated. 

A highly attenuated laser pulse which gives a weak coherent state is widely used in 
QKD experiments. A weak coherent state has multi-photon components, which opens 
up a security loophole to the sophisticated eavesdropper. With a small adjustment of 
the hardware, we will prove that the decoy state method can close this loophole and 
substantially improve the QKD performance. We also propose a few practical decoy 
state protocols, study statistical fluctuations and perform experimental demonstrations. 
Moreover, we will apply the methods from entanglement distillation protocols based on 
two-way classical communication to improve the decoy state QKD performance. Fur- 
thermore, we study the decoy state methods for other single photon sources, such as 
triggering parametric down- conversion (PDC) source. Note that our work, decoy state 
protocol, has attracted a lot of scientific and media interest. The decoy state QKD 
becomes a standard technique for prepare-and-measure QKD schemes. 

Aside from single-photon-based QKD schemes, there is another type of scheme based 
on entangled photon sources. A PDC source is commonly used as an entangled photon 
source. We propose a model and post-processing scheme for the entanglement-based 
QKD with a PDC source. Although the model is proposed to study the entanglement- 
based QKD, we emphasize that our generic model may also be useful for other non-QKD 
experiments involving a PDC source. By simulating a real PDC experiment, we show 
that the entanglement-based QKD can achieve longer maximal secure distance than the 
single-photon-based QKD schemes. 



ii 



We propose a time-shift attack that exploits the efficiency mismatch of two single 
photon detectors in a QKD system. This eavesdropping strategy can be realized by 
current technology. We will also discuss counter measures against the attack and study 
the security of a QKD system with efficiency mismatch detectors. 
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Chapter 1 



Introduction 



Study the past, if you would divine the future. — Confucius 

1.1 Background 

In this section, we will give a brief overview of quantum information processing and then 
discuss one of its subfields that this thesis will focus on which is quantum cryptograph^ 

1.1.1 Quantum information processing 

Quantum information processing or quantum information science is an amalgamation of 
quantum physics and information science. It concerns information science that depends 
on quantum effects in physics. It includes theoretical issues in communication and com- 
putational models as well as experimental topics in quantum physics, including what can 
and cannot be done with quantum information. It is an interdisciplinary field, combin- 
ing ideas in physics, information theory, engineering, computer science, mathematics and 
chemistry. 

A bit; a binary digit, is the base of classical information theory. Regardless of its 
physical representation, it is always read as either a or 1. For instance, a 1 (true value) 
is represented by a high voltage, while a (false value) is represented by a low voltage. 

A quantum bit, or qubit (sometimes qbit) is a unit of quantum information. That 
information is described by a state vector in a two-level quantum mechanical system 
which is formally equivalent to a two-dimensional Hilbert space. A qubit has some 

1 I acknowledge that Subsections II. 1.11 and 11.1.21 heavily rely on the Internet to gather information, 
especially wikipcdia.org and quantiki.org. 
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similarities to a classical bit, but is fundamentally very different. Like a bit, a qubit can 
have two possible values, normally a or a 1. The difference is that whereas a bit must 
be either or I, a qubit can be 0, 1, or a superposition of both. 
Subfields of quantum information processing include: 

• Quantum computing, which deals on the one hand, with the question how and 
whether one can build a quantum computer and on the other hand, searching 
algorithms that harness its power; 

• Quantum computation, which investigates computational complexity of various 
quantum algorithms; 

• Quantum error correction, which is used in quantum computing to protect quantum 
information from errors due to decoherence and other quantum noise; 

• Quantum entanglement, which studies entanglement as seen from an information- 
theoretic point of view; 

• Quantum cryptography and its generalization, quantum communication, which is 
the art of transferring a quantum state from one location to another. Note that this 
is the first quantum information application to reach the level of mature technology 
and fit for commercialization. This thesis focuses on quantum cryptography. 

1.1.2 Cryptography 

Nowadays, distant communications play a crucial role in our daily lives. Secure commu- 
nications become more and more important in many areas, e.g., online purchases, emails 
and video chats. 

Cryptography is the practice and study of encoding and decoding secret messages to 
ensure secure communications. There are two main branches of cryptography: secret- 
symmetric-) key cryptography and public- (asymmetric) key cryptography. 

A key is a piece of information (a parameter) that controls the operation of a crypto- 
graphic algorithm. In encryption, a key specifies the particular transformation of plain- 
text into ciphertext, or vice versa during decryption. Keys are also used in other crypto- 
graphic algorithms, such as digital signature schemes and message authentication codes. 

In practice, due to significant difficulties of distributing keys in secret key cryptogra- 
phy, public-key cryptographic algorithms are widely used in conventional cryptosystems. 
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These encryption schemes can only be proven secure based on the presumed difficulty 
of a mathematical problem, such as factoring the product of two large primes. We em- 
phasize that no public-key encryption scheme can be secure against eavesdroppers with 
unlimited computational power. 

One of the most famous quantum computing algorithms is Shor's algorithm [105j . 
which can factor a number N in 0((\ogN) 3 ) time and O(logiV) space. The algorithm is 
significant because it implies that public key cryptography might be easily broken, given a 
sufficiently large quantum computer. RSA [98], for example, uses a public key N which is 
the product of two large prime numbers. One way to crack RSA encryption is by factoring 
N, but with classical algorithms, factoring becomes increasingly time consuming as N 
grows large; more specifically, no classical algorithm is known that can factor in time 
0((logiV) fc ) for any k. By contrast, Shor's algorithm can crack RSA in polynomial time. 
It has also been extended to attack many other public-key cryptosystems. 

In cryptography, the one-time pad is an encryption algorithm where the plaintext is 
combined with a random key or "pad" that is as long as the plaintext and used only once. 
A modular addition is used to combine the plaintext with the pacj^. In 1917, Vernam 
proposed one-time pad encryption scheme |116j . In 1949, Shannon proved that the one- 
time pad is information-theoretically secure, no matter how much computing power is 
available to the eavesdropper [104] . That is, if the key is truly random, never reused and 
kept secret, the one-time pad provides perfect secrecy. Note that the one-time pad is the 
only cryptosystem with perfect secrecy. 

Despite Shannon's proof of its security, the one-time pad has serious drawbacks in 
practice: 

1. it requires a perfectly random key; 

2. secure generation and exchange of the key must be at least as long as the message. 

These implementation difficulties have led to one-time pad systems being unpractical 
and are so serious that they have prevented the one-time pad from being adopted as a 
widespread tool in information security. 

Quantum physics offers a solution to the aforementioned two difficulties for the one- 
time pad. First, the superposition (uncertainty) nature of quantum mechanics can gen- 
erate true randomness. Secondly, quantum cryptography allows two distant parties to 
generate secure keys. 



2 For binary data, the operation XOR amounts to the same thing. 
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1.1.3 Quantum cryptography 

Quantum cryptography or quantum key distribution (QKD) applies fundamental laws 
of quantum physics to guarantee secure communication. It enables two legitimate users, 
commonly named Alice and Bob, to produce a shared secret random bit string, which can 
be used as a key in cryptographic applications, such as message encryption (for instance, 
the one-time pad) and authentication. Unlike conventional cryptography, whose secu- 
rity often relies on unproven computational assumptions, QKD promises unconditional 
security based on the fundamental laws of quantum mechanics. 

There are mainly two types of QKD schemes. One is the prepare-and-measure scheme, 
such as BB84 [TT], in which Alice sends each qubit in one of four states of two comple- 
mentary bases; B92 [9] in which Alice sends each qubit in one of two non-orthogonal 
states; six-state [17] in which Alice sends each qubit in one of six states of three comple- 
mentary bases. The other is the entanglement based QKD, such as Ekert91 [21] in which 
entangled pairs of qubits are distributed to Alice and Bob, who then extract key bits by 
measuring their qubits; BBM92 [12] where each party measures half of the EPR pair in 
one of two complementary bases. Note that in Ekert91, Alice and Bob estimate the Eve's 
information based on the Bell's inequality testo; whereas in BBM92, similar to BB84, 
Alice and Bob make use of the privacy amplification to eliminate Eve's information about 
the final key |62j . 

QKD needs a quantum channel and a classical channel. The quantum channel can 
be insecure whereas the classical channel is assumed to be authenticated. Fortunately, 
in classical cryptography, unconditionally secure authentication schemes such as the 
Wegman-Carter authentication scheme [125[ 1126] exist. Moreover, those uncondition- 
ally secure authentication schemes are efficient: to authenticate an iV-bit message, only 
an order logiV bits of the shared key are needed. Since a small amount of pre-shared 
secure bits is needed between Alice and Bob, the goal of QKD is key growing, rather 
than key distribution. Notice that in the conventional information theory, key growing 
is an impossible task. Therefore, QKD provides a fundamental solution to a classically 
impossible problem. 

The procedure of the best-known QKD protocol, BB84, is as follows. We assume that 
Alice uses polarization encoding. 

1. Alice randomly chooses one of the four states (vertical, horizontal, 45-degree and 



3 In the original proposal [24] , the author claimed that the final key is secure when the Bell's inequality 
is maximally violated. There are many follow-up works, such as pQ. 
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135-degree polarizations). Denote the rectangular basis as Z basis and the diagonal 
basis as X basis. She sends the qubit to Bob through an insecure quantum channel. 



2. Bob randomly chooses Z or X basis to measure the received states. He keeps his 
measurement result secretly. 



3. Through a public classical channel, Alice and Bob compare the basis and only keep 
the measurement results that they use the same basis. This step is commonly called 
basis reconciliation. If both of them randomly choose bases, they will discard half 
of the detection results. 



4. Alice and Bob implement error correction and privacy amplification to extract the 
final secure key. Later, we will show how to realize this step, which is normally the 
main focus of a security proof. 



Eve may tamper the quantum channel and change/measure the states sent by Alice. 
The last two steps together is called post-processing. It normally requires an authen- 
ticated classical channel. That is, Eve can obtain all information about the classical 
communication during the post-processing but not modify them. 

Proving the security of QKD is a difficult problem in theory. Fortunately, this prob- 
lem was solved in the last decade, see for example, [841 |62| I106[ [52] . Many security 
proofs are based on the assumption of idealized QKD system components, such as a 
perfect single photon source and well-characterized detectors. In practice, inevitable 
device imperfections may compromise security unless these imperfections are well inves- 
tigated. Meanwhile, the security of QKD with realistic devices has been studied, see 
[SSI EDI HHJ ESI HD EH ES] for examples. For more information about security proofs of 
QKD, one can refer to Chapter [2l For a review of quantum cryptography, one may refer 
to [31]. 

Experimental QKD has been successfully demonstrated over 100 km of transmission 
distance through both commercial telecom fibers and free space [IlI |lll3[ l9T [[l"4"ll3"2"l ll02j. 
Commercial QKD systems are already on the marketQ The main problem in the field is 
the security and performance of a realistic QKD system. 



4 Note that there are three companies, id Quantiquc, MagiQ and Smartquantum, that have commercial 
QKD products. However, the security has not been fully addressed yet. 
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1.1.4 Cryptanalysis and Quantum Cryptanalysis 

Cryptanalysis is the study of methods for obtaining the meaning of encrypted infor- 
mation, without access to the secret information which is normally required to do so. 
Typically, this involves finding the secret key. In non-technical language, this is the prac- 
tice of code-breaking or cracking the code, although these phrases also have a specialized 
technical meaning^. 

In the quantum analogue, we need to consider loopholes that exist in QKD systems 
and various attack strategies. The study of attacks has a two- fold meaning. First, it 
investigates the security in a practical sense. Secondly, it is fundamentally interesting in 
quantum mechanics. For example, a general physical problem in a practical QKD system 
with two detectors is the detection efficiency loophole [80j [26] . This loophole underlies 
not only applied technology, such as QKD, but also fundamental physics, such as Bell's 
inequality testing. Moreover, in practice, it is difficult to build two detectors that have 
exactly the same characteristics. Our work of time-shift attack (see Section 19. 2j) is an 
illustration of how one can proceed to handle this general problem in the security of 
QKD. 

1.2 Preliminary 

In this section, we will provide a general picture of QKD and some terminologies used in 
the thesis. 

1.2.1 A QKD scenario 

Let us introduce a few generic figures in QKD that we have already used in Section fl. 1.31 
Alice, the sender, is the one who starts a key transmission. Bob, the receiver, is the 
one who receives the quantum states and extracts the key sent by Alice. This is just a 
convention used in the field, but not a strict definition. In some protocols, such as an 
entanglement based QKD that will be discussed in Chapter [HI the roles of Alice and Bob 
are interchangeable. 

The third important character is the eavesdropper, Eve, who play a dark side here. 
Eve is trying to intrude into the QKD and gain information about the key established 
between Alice and Bob. One conservative assumption in the QKD is that Eve has full 



5 Dcfinition from wikipedia.org. 
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control of both the quantum and classical channels, knows the characteristics of the QKD 
components very welj^l and has a great computational power. For example, Eve may own 
a quantum computer. Eve's attack is only limited by quantum mechanics and other 
physics laws. 

Unconditional security is the Holy Grail of QKD, which means the security is proven 
without any restrictions of Eve's computational ability. As mentioned above, in an uncon- 
ditional security proof, normally, Eve is assumed to own a powerful quantum computer 
and have full control of the channels. On the other hand, in most of widely used con- 
ventional classical cryptography protocols, security is proven by assuming that Eve has 
a finite computational power. See for example, RSA [HB]- Thus, with the development of 
technology and algorithm, the assumption that is made today about computational power 
does not guarantee security for tomorrow. For instance, Eve may store the encrypted 
message and decrypt it in the future with better computational power or algorithm. From 
this point of view, unconditional security is appealed to many real life applications. 

1.2.2 QKD performance 

To compare different QKD protocols or setups, one needs to characterize the performance 
of QKD. There are two important aspects of QKD performance: key rate and maximal 
secure distance. 

We assume that Alice encodes the quantum information into faint laser pulses. If not 
(e.g., Alice uses a photon source pumped by a continuous wave laser), then Alice and 
Bob can manually partition the time domain into pulses. The key rate is defined to be 
the average number of final secure key bits from one pulse. By multiplying the pulse 
repetition rate (frequency), the key rate gives the speed of key generation. 

Due to the loss and noise, all practical QKD systems have a limit of secure distance. 
That is, beyond a certain distance, a QKD setup with a certain post-processing procedure 
cannot achieve a positive secure key. The maximal secure distance is defined for a certain 
QKD setup and the post-processing scheme as the maximal QKD transmission distance 
that can yield a positive key rate. 

We emphasize that the mentioned key rate and maximal secure distance here is always 
based on a guaranteed (proven) security. In many cases, we regard this is the lower 
bound in the sense that this performance as the least that one can achieve. Considering 



6 Eve might be the producer of QKD systems. 
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a performance upper bound!! of QKD setups and protocols is also an interesting topic. 
For example, one can refer to Refs. [271 ED] • 

For a real life application, certain performance is required. For instance, the state 
of the art digital speech coding [91] typically needs a bit rate around 4-10 kbits/sec. A 
typical city wide area network must cover an area with a radius of 5-25 km. Later, in the 
conclusion of Chapter we will see that the QKD performance with current technology 
can achieve these requirements. 



1.3 Motivation 

The main objective of this thesis is to bring QKD to real-life applications. To do that, 
we investigate the security issues of practical QKD systems and propose new techniques 
to improve QKD performance. 



1.3.1 QKD security 

As discussed in Section H. 1.31 we need to take into account device imperfections to achieve 
QKD security. For example, an imperfect single photon source may open up loopholes 
for sophisticated attacks, such as photon number splitting attacks [33 US, EI] . 

On the detection side, Eve may launch attacks on the imperfections of detections. 
For instance, Eve may take advantage of the timing information of signal pulses. We will 
present a feasible attack with current technology, a time-shift attack, in Section 19.21 

Thus, in order to guarantee the security of a practical system, QKD components are 
closely investigated and a realistic model is established. Then, we link our model to the 
existing security proofs. From there, we can learn about the assumptions that are made 
to prove security and the requirements for QKD experiments. 



1.3.2 A gap between theory and experiment 

As mentioned in Section [172721 m real-life applications, high QKD performance is required. 
Naturally, there are two important aspects of QKD performance: key generation speed 
(in bits/second) and transmission distance. Correspondingly, we will consider the two 



7 Bcyond a upper bound, one surely cannot obtain a secure key. 
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criteria, key ratf^l and maximal secure distance, as discussed in Section [1.2.21 

On the theory side, much effort has been spent on the security proof of QKD with 
imperfect devices [851 CSS SH EH [35] . By directly applying these security analyses, the 
QKD performance is very limited. One can refer to the simulation part in Chapter [H 

On the other hand, the transmission distance of QKD experiment has been extended 
from a few meters in the first QKD experiment to currently more than 150 km. If we 
apply a standard security analysis, for instance, GLLP, the existing experiment setups 
can only tolerate a very limited transmission distance (as the simulation results show in 
Section f4.1.4p . The key issue here is the security of the experiment. Thus, there is a big 
gap between the theory and practice of QKD. 

This thesis aims to bridge this gap between theory and practice by guaranteeing the 
security and improving the performance of practical QKD. 

Note that in some cases, security is sacrificed to achieve a better QKD performance. 
In this thesis, we always guarantee the security first and then enhance the performance. 



1.4 Highlight and Outline 

During my Ph.D. program, I have completed the following projects by collaborating with 
my colleagues. 

• In Chapter [21 there will be reviews of various QKD security proofs and compar- 
ison of two standard security proofs of QKD with realistic devices. This work is 
published in Ref. [73] . 

• In Chapter [31 there will be a discussion on a widely used experiment setup and its 
model. This work is published in Ref. [77]. Here I acknowledge that I benefited 
very much from discussions about experiment setups with Bing Qi. 

• In Chapter [H the decoy state idea and its security proof will be discussed. This 
work is published in Ref. [HSj. In this work, I applied GLLP security analysis to a 
decoy state QKD and simulated a QKD experiment [32] to show the improvement 
given by using decoy states. 

• In Chapter [51 practical decoy state protocols will be discussed. This work is pub- 
lished in Ref. [77]. In this work, I applied the idea of the Vaccum+Weak decoy 

8 Note that developing a QKD system with a high repetition rate is an interesting topic in the field, 
for example, see Ref. [108] . In this thesis, we will always focus on the key rate unless otherwise stated. 
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state protocol, which was first proposed by Lo [60] and considered statistical fluc- 
tuations. Furthermore, I designed the experimental parameters and analyzed data 
in the decoy state QKD experiment demonstration [131[ 1132] . Hence, it can be 
concluded that the decoy state idea is highly practical in real life applications. 

In Chapter [6j two post-processing schemes are studied based on two-way classical 
communication for the decoy state method. This work is published in Ref. [71]. In 



this work, I applied the Gottesman-Lo's 2-LOCC^ entanglement distillation pro- 
tocol (EDP) and recurrence scheme to a decoy state QKD and simulated a QKD 
experiment to show the improvement by using two-way classical communication in 
a decoy state QKD. 

In Chapter [7J various decoy state protocols are investigated for triggering paramet- 
ric down- conversion sources. This work is presented in Ref. [76J. In this work, I 
modeled the QKD setup with a triggered PDC source following Lutkenhaus' work 
[70] and compared various decoy state proposals of triggering PDC QKD. 

In Chapter [HI QKD with an entangled photon source will be discussed. This work is 
published in Ref. [75]. In this work, I built an entangled PDC source model, applied 
Koashi-Preskill's security analysis and simulated a PDC experiment to show the 
performance of the entanglement-based QKD in comparison with a triggered single 
photon source and coherent state QKD. 

In Chapter [91 quantum attacks and security against these such attacks will be 
investigated. These works are published in Refs. [50] and [2H] . Aside from the decoy 
state method, we also studied other methods for improving the QKD performance, 
such as the dual detector scheme [93l [92] . I am not the main contributor of these 
works. I joined in discussions and helped work out the details. 

In Chapter [TDJ a summary of my Ph.D. study is presented and some interesting 
topics for future research are stated. 

In Appendix |A[ the common abbreviations used in the thesis is listed and some 
detailed mathematical derivations are shown. 

In Appendix [Bj the optimization of the source intensity \i is discussed. 



9 See Appendix IA.ll for the definition of LOCC. 
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1.5 Future outlook 

An interesting topic is the natural extension of the current work: further enhancement 
of the performance of practical QKD systems. Continuous variable QKD is proposed to 
achieve a higher key rate in short and medium transmission distance. An open question is 
the security of continuous variable QKD. This is an appealing topic in the field. Modeling 
and simulations for continuous variable QKD are also interesting. 

Another crucial point is that in real life, one needs to consider some extra disturbances 
(e.g., quantum signals may share the channel with regular classical signals). The final 
goal is to achieve a customer friendly QKD system that can be easily integrated with the 
Internet, for instance. 

Statistical fluctuations need to be considered in QKD with a finite key length. There 
is some work on this topic recently, e.g., [HH]- An interesting topic is applying Koashi's 
complementary idea [23] to a finite key QKD and compare it with prior results. 

An interesting topic outside quantum cryptography is whether the techniques devel- 
oped in QKD can be useful in quantum computation. For example, do such models and 
post-processing schemes also help quantum computation by linear optics realizations? 

Finally, quantum information processing is related to the foundation of quantum 
mechanics. As we know, quantum information (e.g., von Neumann entropy) can help 
us in understanding quantum entanglement. What about other principles in quantum 
mechanics? 



Chapter 



2 



Security 



analysis 



In this chapter, we will review various security proofs. We start with the objective of 
security proofs and the underlying assumptions in current security proofs. We compare 
two standard security proofs of the QKD with realistic devices. This work is published 
in Ref. [73]. 

2.1 What are security proofs? 

To serve as a secure key in cryptographic uses, there are two criteria: 

(a) Alice and Bob share the same key; that is, an identical key. 

(b) Eve has no information about the key; that is, a secure key. 

With regards to a careful analysis and the formulation of security, see [22]. For necessary 
and sufficient conditions for security, see [38J. 

The first criterion can be satisfied by performing a classical error correction, for 
example, by using the Cascade code |16j . After that, Alice and Bob will share an identical 
key. Next, Alice and Bob will perform privacy amplification, for instance, by random 
hashing, to eliminate Eve's information about the key. 

The goal of current security analyses is to show how much privacy amplification needs 
to be performed after a certain error correction procedure. 

The main task for a security analysis is to figure what the length of the final secure 
key is and perform hashing to obtain the final key. 
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2.2 Squash model 



In this section, we will formalize the widely used squash model in security proofs. 
Note that the squash model is used in the security proof proposed by Gottesman, Lo, 
Liitkenhaus, and Preskill (GLLP) [35], see also [5T 1 11141 IT]. 

2.2.1 A calibration problem 

In all the existing QKD security proofs, certain characteristics of sources and detectors are 
assumed to be known or measurable. However, in reality, such a calibration procedure 
is a very difficult task. For example, on Alice's side, a good single photon source is 
not available with current technology although much effort has been made in this field 
[SJ [68j [5TJ H3j [231 1127] . On Bob's side, most of security proofs rely on the assumption 
that Bob measures two conjugate bases (for instance, X and Z) of a qubit. In real QKD 
experiments, threshold detector^ are widely used. In summary, devices calibration form 
a gap between the theory and practice of QKD. 

In the experiment, to test (calibrate) a source, we need a good (well-characterized) 
detection system. On the other hand, to characterize a detector, we need a well-tested 
source. In QKD, we may even want to test these devices in real-time, which makes the 
task even more difficult. 



Alice's) measurement is performed in a two-dimensional Hilbert space. This assumption 
is another way to state the squash model. We can see that this squash model assumption 
is not easy to avoid. Note that even throwing away the squash model, one needs to have 
certain assumptions about the side information. Later in Chapter O we will see that 
some side information (e.g., timing) may cause fatal security issues in QKD. 

2.2.2 Squash model 

In theory, the squash model is proposed to avoid the aforementioned calibration problem. 
As shown in Figure 12.11 the scenario that we are talking about here is as follows: Alice 
prepares her own system p° AB . In a prepare-and- measure scheme (e.g., BB84), pa = 

X A threshold detector can only tell whether the input signal is vacuum or non- vacuum. For a strict 
mathematical definition, one can refer to Section [7.3.21 

2 One exception approach is the so-called device-independent QKD protocol [1] based on Bell's in- 
equality [8]. However, no strict security analysis has been yet provided for this type of QKD protocols. 
For recent developments of realistic threshold detector models, one can refer to Rcf. [51]. 



In most 




make sure that Bob's (and sometimes also 
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Ttb{p ab) determines the basis and key bit value that she will pick up. She then sends 
the system pso = Tta{p q ab ) to Bob, which is intercepted by Eve. Eve performs some 
operations and/or measurements on the system and resends a system psi to Bob. After 
passing through a filter, the state received by Bob is p#. That is, Eve prepares a system 
Pb for Bob, generally depending on the system sent by Alice. Finally, Alice and Bob 
will extract a key from measurements on p^ and Alice and Bob's detection system 
follows the squash model. 

Squash model: The detection system first performs a filter, projecting the incoming 
state p (with an arbitrary dimension of Hilbert space) into a two-dimensional Hilbert 
space state P2 or output a "failure" signal. If the projection succeeds, a projection 
measurement will be performed in a basig^l in a two-dimensional Hilbert space. 



Pa 
Alice 






Pbo 




(O) 




pBl 








Pb 
Bob 








Channel 

Eve 




Fil 


ter 





Figure 2.1: A schematic diagram for the squash model. The filter is the key component 
of the squash model. 

The schematic diagram of the squash model is shown in Figure 12.11 As we can see 
that in the squash model, Bob always receives a qubit or vacuum. In other words, in the 
squash model, Eve always sends a qubit or vacuum to Bob. 

2.2.3 Remarks 

1. The squash model is reasonable (but not necessarily correct) for threshold detector 
cases. After treating the double click as a random click event, a threshold detector's 
response can always be described by a qubit or vacuum measurement outcome. 

2. Even with only one photon, the squash model is still required in the existing security 
proofs. This is because there are lots of degrees of freedom of a photon, for instance, 
timing, polarization, phase [66J and space [91J. Thus, by using a perfect photon 
number resolving detector, one cannot avoid the squash model. 



3 This basis can be randomly chosen from a conjugated bases set. 
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3. The filter acts as a key component of the squash model. One can model the channel 
losses and detector efficiency into the failure probability of the filter. 

4. In the squash model, when double clickgj happen, we assume that Alice and Bob 
will assign a random bit when they get a double click, due to the strong pulse 
attack [69]. 



5. In a rigorous security analysis, one needs to experimentally verify whether the 
squash model gives a good description of a certain detection system. Take a widely 
used threshold detector for example. One needs to open the detector, examine 
the components carefully, then write down the quantum operations and compare 
the operations described by the squash model. Again, we want to emphasize that 
testing the model is a highly non-trivial task in the experiment. 

6. Another way to avoid the device calibration problem is to propose so called device 
independent QKD protocols, see for example, Ref. pQ. Up until now, a strict 
security proof of these device independent QKD protocols is still missing. This is 
an interesting prospective topic. Recently, security proofs of QKD with a more 
realistic model, threshold detector model, are presented [SH 1114] [7] . An interesting 
theoretical question is whether the threshold detector model is equivalent to the 
squash model. 



2.3 Entanglement-based QKD 

In this section, we will review the idea of the Lo-Chau type security proof [62J of QKD 
based on entanglement distillation protocols (EDP) (13] . 

In the following discussion, we will use X and Z to represent two conjugate bases, 
which are the Pauli operators: 

to represent two conjugate bases. The QKD scenario in Lo-Chau's security proof can be 
described as follows: 



4 This is when more than one detector have detection events for one key bit transmission. In general, 
a double click probability is very small in comparison to dark count probability and detector efficiency. 
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1. Alice prepares n EPR pairs in one of the four Bell states, 



IV'oo) = 


^(100) + 


|n» 


|V>io) = 


> 1)+ 


|io» 


IV>11> = 




|io» 


IV'Ol) = 


> 0) " 


111)), 



(2.2) 



for instance, in |^oo)® n - 

2. Alice sends half of each EPR pair to Bob and keeps the other half in her quantum 
memory. 

3. After he receives the half EPR pairs, Bob stores all the qubits into his quantum 
memory. 

4. Alice and Bob perform an EPD protocol [13J to distill m (m < n) into nearly 
perfect EPR pairs. 

5. Alice and Bob measure the EPR pairs in the Z basis to obtain a shared secret key. 

The key point of Lo-Chau's security proof is that if in Step 4, Alice and Bob share nearly 
perfect EPR pairs, the final key is secure. With a quantum computer, the amount of 
EPR pairs that Alice and Bob can distill is given by: 

m = n — r err , (2.3) 

where r err is the amount of information (in bits) cost in the quantum error correction 
process. Here, r err can be regarded as the number of encrypted bits communicated 
between Alice and Bob in the post-processingr . 

2.4 Single-photon-based QKD 

In this section, we will review Shor-Preskill's security proof [106] . In Lo-Chau's security, 
the main drawback is that quantum computers (or at least quantum memories) are 
required, which are not available with current technology. Based on Lo-Chau's security 



In this case, we assume that Alice and Bob encrypt the communication for the error correction. 
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proof, Shor and Preskill proposed a special EDP scheme, which can be reduced to a 
prepare-and-measure scheme. 

The EDP protocol proposed by Shor and Preskill is based on the Calderbank-Shor- 
Steane (CSS) code [18 | I107j . The basic idea of Shor-Preskill's security proof is to replace 
Step 4 of Lo-Chau's security proof (see Section 12. 3j) by the following procedures: 

(4. a) Alice and Bob pick up k testing EDP pairs randomly and both measure in Z basis 
to estimate bit error rate, 5b- We call the procedure that corrects this type of error, 
bit error correction. 

(4.b) They pick up another k testing EDP pair randomly and both measuring in X basis 
to estimate the phase error rate, 5 P . Correspondingly, we call the procedure that 
corrects this type of error, phase error correction. 

(4.c) They abort the protocol if the error rates are too high. Otherwise, they apply a 
quantum CSS code to correct the bit and phase errors separately. It is here that 
an important property of the quantum CSS codes is applied: they can decouple 
the phase correction from the bit correction pL06j. 

(4.d) They can distill m (m < n) nearly perfect EPR pairs by the quantum error correc- 
tion procedure. 

The key argument in Shor-Preskill's security proof is that since the final Z measure- 
ment (see Step 5 in Section [273]) commutes with Steps 1-4, Alice and Bob can move this Z 
measurement ahead of Step 1. Note that this is the reason why CSS codes are applied to 
decouple bit and phase error correctiongj. After this move, the bit error error correction 
becomes a regular classical error correction and the phase error correction becomes a 
privacy amplification. Now the modified procedure will be exactly the same as the BB84 
protocol. 

1. Alice prepares n qubits, each in one of the four eigenstates of X and Z. Here, 
the reason for preparing X eigenstate is to make a symmetry between the bit and 
phase error rates. 

2. Alice sends the states to Bob. 



6 Note that the CSS code is a linear quantum error correction code. It uses two classical error 
correction codes (e.g., C\ and with C2 C C\) to protect bit and phase errors separately. For a 
detailed discussion of the reason why the CSS code can decouple bit and phase error corrections for 
QKD, one can refer to Ref. [106] . 
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3. After he receives the states, Bob measures the states in X or Z bases randomly. 

4. Alice and Bob perform a post-processing scheme to distill m (m < n) into bits of 
secure key. 

(4. a) Alice and Bob pick up k measurement results to estimate the bit error rate, 

s b . 

(4.b) Due to the symmetry of BB84, they can estimate the phase error ratdj by 
5 P = 5 b . 

(4.c) If the error rates are too high, they abort the protocol. Otherwise, they apply 
a classical error correction code to correct all the bit errors. 

(4.d) They apply a privacy amplification (for instance, random hashing) according 
to the phase error rate, 5 P . 

After the error correction and privacy amplification, the key rate is given by |106j : 

R = qQ fl [l-H 2 (5 b )-H 2 (5 p )], (2.4) 

where q is the basis reconciliation factor (1/2 for the BB84 protocol due to the fact that 
half of the time, Alice and Bob disagree with the bases, and if one uses the efficient BB84 
protocol [63], q ~ 1), Q p is the filter success probability in the squash modejfl and H 2 (x) 
is the binary entropy function, 

H 2 (x) = -xlog 2 (x) - (1 -x)log 2 (l -x). (2.5) 

In summary, there are two main parts of the post-processing, error correction (for bit 
error correction) and privacy amplification (for phase error correction). These two steps 
can be understood as follows. First, Alice and Bob apply an error correction, after which 
they share the same key strings, but Eve may still keep some information about the key. 
Alice and Bob then perform a privacy amplification to expunge Eve's information from 
the key. 



7 Note that S p — Sb is true for the case of infinite long key BB84. Later in Section f8. 5. 31 we will see 
that this may not be true for a finite key length with statistical fluctuations. Note also that for other 
protocols, such as the SARG04 protocol [101] . it is no longer true that 8 p = Sb 1091 [28] . 

8 Basically, Q M is the probability for Bob to obtain a detection (not a vacuum) in a pulse of key 
transmission. Later, in Section l3~2l one can see why we use the notation Q M here. 
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2.5 GLLP security analysis 

In this section, we will review the Gottesman-Lo-Liitkenhaus-Preskill (GLLP) security 
analysis idea [35]. It gives a security proof of BB84 QKD when realistic devices (such as 
imperfect single photon sources) are used. 

2.5.1 Tagged and untagged qubits 

In the original proposal of the BB84 protocol (as well as in Shor-Preskill's security proof), 
a perfect single photon source is required. Unfortunately, single photon sources are still 
not available with current technology. For the development of a single photon source, one 
can refer to Refs. [461 EH [57J H3J [231 H27] . Thus, intuitively, we can think there are two 
components in an imperfect single photon source, one is good for BB84 and the other is 
bad. Separating these two components is the main idea of GLLP. 

There are two kind of qubits discussed in GLLP, tagged qubits and untagged qubits. 
Tagged qubits are those that have their basis information revealed to Eve, i.e. tagged 
qubits are not secure for QKD. On the other hand, untagged qubits are secure for QKD. 
Note that the idea of the tagged state was (perhaps implicitly) introduced by Liitkenhaus 

[7D]. 

The untagged qubits basically come from the idea of a basis- independent source [54"] . 
A basis-independent source means that, to Eve, the quantum states transmitted through 
the channel are independent of the bases that Alice and Bob are choosing. Whereas 
the tagged qubits come from basis-dependent sources, whose basis information may be 
revealed to Eve. 

Let us show a concrete example about tagged and untagged qubits. In BB84, qubits 
coming from single-photon states are untagged, while those from multi-photon states are 
tagged. This is because Eve, for instance, can perform photon-number splitting attacks 
[3"§| [151 ITT] to the multi-photon states. This may not true for other protocols. For 
example, in SARG04 [101[ 1109] . two-photon states can be used to extract secure keys. 

2.5.2 Post-processing 

The GLLP post-processing is performed as follows. First, Alice and Bob apply error 
correction to all qubits, sacrificing a fraction H2(E fl ) of the raw key, which is represented 
in the first term of Eq. (12.61) below. Secondly, in principle, Alice and Bob can distinguish 
the tagged and untagged qubits (for instance, by measuring the photon numbers on 
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Alice's side), so they can apply the privacy amplification on the tagged state and untagged 
state separately. One can imagine executing privacy amplification on two different strings, 
the qubits s tagged and s untagg ed arising from the tagged qubits and the untagged qubits 
respectively. Since the privacy amplification is linear (for instance, by linear hashing), 
the key obtained is the bitwise XOR 



of keys that could be obtained from the tagged and untagged qubits separately. If s untagge( i 
is private and random, then it does not matter if Eve knows anything about s tagge d, the 
sum will be still private and random. Thus, one only needs to apply privacy amplification 
to the untagged bits. 

We define the key generation rate as the ratio of the final key length to the total 
number of pulses sent by Alice. Applying the GLLP idea to our model, Q± is the amount 
of untagged qubits. Thus, the key generation rate is given by [65] : 




where q is the basis reconciliation factor as discussed in Eq. (12. jj) , and are the 
overall gain (or filter success probability) and QBER, Q\ and G\ are the gain and error 
rate of untagged qubits, and f(x) is the error correction inefficiency (see, for example, 
[To] ) as a function of the error rate, normally f(x) > 1 with the Shannon limit f(x) = 1. 
For detailed definitions of Q M , E^, Q x and ei, one can refer to Section ET2"1 

Note that one can add Qq into Eq. (12.61) by considering other security analysis [6Tj . 
see also [5Tj . 

2.5.3 An extension 

The original GLLP idea only considers two types of qubits: tagged and untagged. For 
BB84, it sets a phase error rate, 5 P = 1/2 for tagged qubits and S p = 5b for the untagged 
qubits. The idea of applying separate privacy amplification (GLLP) can be naturally 
extended to the case of more than two classes of qubits [71], i.e. several kinds of qubits 
with tag g, which generalizes the concept of tagged and untagged qubits. The procedure 
of data post-processing is similar, an overall error correction step followed by privacy 
amplification to each case. Therefore, the key generation rate is given by: 





R > q{-f(E,)Q,H 2 (E,) + Qi[l - # 2 (ei)]}, 



(2.6) 




(2.7) 
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where Q g is the gain of the qubits with tag g and e g is the corresponding phase error 
rate. Here, we want to emphasize that e g is not equal to the bit error rate of the qubits 
with tag g in general, unless the qubits come from a basis-independent source. 

This extension is useful for some post-processing schemes, e.g., SARG04 [101] and 
2-LOCC post-processing schemes [74] (see Chapter [6]). 

The above discussion is a review of various security analysis. Next, we will compare 
two standard security analysis schemes. 

2.6 GLLP vs. Liitkenhaus' security analysis 

In this section, we will compare two data post-processing schemes, Liitkenhaus [70] versus 
GLLP [55]. Here, we use Liitkenhaus' security analysis, to refer to his work, see Ref. [7D0. 
Note that Liitkenhaus' security analysis proves the security against individual attacks, 
while GLLP offers unconditional security. This work is published in Ref. |73j . 

We can rewrite the formula of the key generation rate by Liitkenhaus' security analysis 
scheme [70J 

R > q{-Q,H 2 {E^) +Q 1 [1- log 2 (l + 4e 1 - 4e?)]}, (2.8) 

where the privacy amplification term log 2 (l + 4ei — Ae\) comes from collision probability. 

Now, we can compare Eqs. (12.61) and (12.81) . In both key rate formulae, the first term 
in the bracket is for error correction and the second term is for privacy amplification. 
The privacy amplification is only performed on the single photon part. In this manner, 
Liitkenhaus [70] has already applied the idea of separate privacy amplification. 

We can see that the only difference between the Liitkenhaus and GLLP results appears 
in the privacy amplification part. We compare H 2 (e) with log 2 (l+4ei— 4e^) in Figure |2~2"1 
We can see that the difference of the two functions is quite small. For this reason, in fact, 
Liitkenhaus and GLLP give very similar results in the simulations of real experiments 
[7J. 

Based on this observation, we find that there is little to gain by restricting the security 
analysis to individual attacks, given that the two schemes; Liitkenhaus vs. GLLP, provide 
very close performances. In other words, our view is that one is better off considering 
unconditional security, rather than restricting to individual attacks. 



9 We acknowledge that Liitkenhaus has worked on many security analysis schemes, including ILM |41j 
and GLLP [35]. 
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Figure 2.2: Plot of the privacy amplification parts of GLLP and Liitkenhaus. The max- 
imal deviation of the two curves is 15.36% when the error rate is 3.85%. 



Chapter 3 



Setup and Model 



In this chapter, we will discuss a widely used QKD setup and model. For now, we will 
focus on the case where a weak coherent state source is used as an imperfect single photon 
source by Alice. Nevertheless, many concepts from this generic model is useful for other 
QKD setups. For example, in Chapter [TJ we will modify this model to fit the case of the 
QKD with triggered single photon sources. 

This work is published in Ref. [77] . I acknowledge that I benefited very much from 
discussions about experiment setups with Bing Qi. 



3.1 QKD setup 

As we pointed out earlier, due to the lack of a perfect single photon source for BB84, 
a weak coherent state source is widely used. We call this setup a coherent state QKD 
implementation. Similarly, perfect single photon detectors are commonly replaced by 
threshold detectors. The setup is shown in Figure 13.11 
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Figure 3.1: A schematic diagram for the coherent state QKD implementation. LD: 
laser diode; Attn: optical attenuator; RNG: random number generator; PC: polarization 
controller; PBS: polarization beam splitter; DB , DBi: single photon detectors. 
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As shown in Figure 13.11 the coherent state QKD implementation works as follows. 

\. Alice uses a weak coherent state photon source. She attenuates the laser beam 
from a laser diode (LD) with an optical attenuator (Attn). She uses a random 
number generator (RNG) to generate random bits for her choice of basis and bit 
values. She encodes one of four polarizations (eigenstates of X and Z bases) by a 
polarization controller (PC). 

2. Bob receives the quantum states from the channel. He uses a PC as a polarization 
rotator for choosing his measurement basis, which is also controlled by a RNG. 
Then he uses a polarization beam splitter (PBS) followed by two single photon 
detectors (DAi and DA2) to perform the measurement. 



There are three main parts for a QKD system: source, channel and detection. In this 
section, we present a widely used QKD system model that follows Ref. [70]. See also 
Ref. [77]. In the model, we assume that Alice sends out quantum signals in pulses. In 
the case where Alice uses a continuous source, we assume that Alice and Bob manually 
fit detections into pulses. This model is originally designed for the coherent state QKD, 
but the channel and detection parts can also be used for other QKD implementations. 
For example, in Chapter [HI we will modify the source part of this model to fit the case 
of QKD with entangled photon sources. 

3.2.1 Weak coherent state source 

Highly attenuated lasers are often used as an imperfect single photon source in QKD. This 
type of source can be well described by a weak coherent state, which is a superposition 
of number states (aka Fock states) |103j . 



3.2 



QKD model 




(3.1) 
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Assuming that the phase of the laser is randomized for each pulse, the density matrix of 
the state emitted by Alice is given by: 

2- 




n=0 

where 9 is the phase of the coherent state and /i = |a| 2 , defined to be the intensity of the 
photon source. The photon number follows a Poisson distribution: 

P( n ) = ^-e-^. (3.3) 
n\ 

From here, we can see that there are three types of photon states: 

1. vacuum state: |0)(0| 

2. single photon state: |1)(1| 

3. multi photon state: \n){n\ for n > 2. 

Here, we assume the squash model [35] as discussed in Section 12.21 That is, Eve receives 
all the pulses sent by Alice. Eve performs some arbitrary operations and sends either a 
vacuum or a qubit to Bob. Consequently, we denote the qubits coming from these three 
states as vacuum, single photon and multi photon qubits. 

A vacuum qubit is a qubit sent by Eve when Alice sends a vacuum state. In the case 
without Eve's presence, it is some random qubit stemmed from the dark counts of Bob's 
detector or other background contributions. Thus, it does not contribute positively to the 
final secure key. Due to photon-number splitting attacks [39| [T5| ITT] , multi photon states 
are not secure for the BB84 protocol. Here is a key observation of this QKD model: the 
final secure key can only be extracted from single photon qubits. Aside from BB84, this 
is true for most present QKD protocols, such as the B92 [9], six-state [UJ and iV-state 
[4"9] scheme. One exception is the SARG04 protocol |101j . in which two-photon states 
can also contribute to the secure key generation rate |109j . 
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3.2.2 Channel and detection 

We use a beam splitter followed by a perfect single photon detector to model the channel 
and detection. We define rj to be the transmittance of the beam splitter. The loss is 
composed by channel loss, internal loss in Bob's detection system and detector efficiency. 
We assume that the channel loss is related to the transmission distance by a loss coefficient 
/3 measured in dB/km. The transmittance 77 is given by: 

v = r] B 10-^. (3.4) 

where t]b denotes the transmittance on Bob's side, including the internal transmission 
efficiency of optical components and detector efficiency. Here, we assume Bob uses thresh- 
old detectors. That is to say, we assume that Bob's detector can tell whether there is a 
click or not, but not the actual photon number of the received signal. 

In the simulation, we assume independence between the behaviors of the i photons 
in z-photon states. Therefore, the transmittance of the i-photon state rji with respect to 
a threshold detector is given by: 

Vi = l-(l-r l ) i (3.5) 

for i = 0,1,2, 

Yield: Defines Yi as the yield of an z-photon state, i.e., the conditional probability 
of a detection event at Bob's side, given that Alice sends out an z-photon state. Note 
that Yq is the background rate which includes detector dark counts and other background 
contributions. 

The yield of the i-photon states Yi mainly comes from two parts, the background 
and the true signal. Assuming that the background counts are independent of the signal 
photon detection, then Yi is given by: 

Yi = Y + rji - Y rji 

(3.6) 

= Y + rji. 

Here, we assume Yq (typically 10 -5 ) and rj (typically 10~ 3 ) are small. 
The gain of i-photon states Qi is given by: 

Q, = Y£e-». (3-7) 
i\ 

The gain Qi is the probability that Alice sends out an z-photon state and Bob obtains a 
detection. Then the overall gain, the probability for Bob to obtain a detection event in 
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one pulse, is the sum over all QiS: 

OO j 



i=0 

The overall gain Q M can also be understood as the filter success probability of the squash 
model that we discussed in Section 12.21 

Quantum Bit Error Rate (QBER): The error rate of i-photon states is given 

by 

* = (3.9) 

* i 

where is the probability that a photon hits the erroneous detector, characterizes 
the alignment and stability of the optical system. Experimentally, even at distances as 
long as 120 km, is relatively independent of the distance [32]. In the following, we 
assume that e<j is independent of the transmission distance and the background clicks are 
random. Thus, the error rate of the background is eo = 1/2. Then the overall QBER is 
given by: 

i 00 i 

^=n-E e ^7T e " M - ( 3 - 10 ) 

In the QKD scenario that we are considering, as discussed in Section 11.2. H Eve can 
change Y$ and e; for her attacks. Without Eve, in a normal QKD, Eqs. (13.51) . (13.61) . (13.71) 
and (13.91) are satisfied for all % — 0, 1, 2, • • • . Thus, the gain and QBER are given by: 



Qa = Y + 1 - e 



E^Qf, = e Y + e d (l - e~w) 



(3.11) 



Due the fact that and can be measured or tested from the experiment, we will 
use Eq. (I3.1ip in later simulations. 



3.2.3 Photon number channel model 

The model described above can be understood in another equivalent model. 

Photon number channel model: Alice and Bob have an infinite number of chan- 
nels. For channel i, Alice sends out an z-photon state to carry the qubit information, 
i — 0, 1, 2 • ■ ■ . In the aforementioned model, Alice chooses which channel to use with a 
Poisson distribution, shown in Eq. (13.31) . which is determined by her photon source. 

Then and can be regarded as the yield and error rate of channel i. Again, in our 
QKD scenario, Eve has full control of all these channels and she can change the values 
of Yi and ej. 



Chapter 3. Setup and Model 



28 



Note that one condition for these two models being equivalent is that Alice randomizes 
the phase of each pulse. It turns out that in some situations, this phase randomization 
procedure is crucial for security [66] . 



3.3 QKD hardware 

Let us examine QKD system elements from a hardware point of view. In the model, we 
can see that there are a few key components: laser source, channel link and detection 
system. By having the knowledge of the characteristics of these components, we can fit 
the model and perform simulations. 



3.3.1 Laser source 

In QKD experiments, two types of laser pulses are mostly used: telecom wavelength 
(~1550nm) and visible light (~760nm). Note that the 1310nm light was also used for 
QKD experiments. For example, see Ref. [97J. Later, we will see that the choice of the 
wavelength, A, determines the channel loss coefficient and detector efficiency. 



3.3.2 Channel 

There are mainly two types of QKD links: fiber and free space. 

For fiber based QKD, the transmission distance is easy to vary. Thus, one can define 
the channel loss coefficient, (3 in dB/km, which characterizes the loss dependence on 
transmission distance. For example, the loss coefficient of telecom fiber is /3 — 0.2 
dB/km. For the visible light, the fiber loss is high, (3 = 2.5 dB/km [113] . 

Since commonly used fibers are made of birefringent materials, it is difficult to main- 
tain the polarization. Thus, phase encoding is widely used in fiber based QKD systems. 
Note that phase encoding^ is equivalent to the polarization encoding [9]. 

For free space based QKD, in general, it is difficult to define j3 in dB/km. Instead, 
the total link loss in dB is commonly used. One main source of loss for the free space 
QKD implementation is the collection efficiency. Due to atmosphere scattering, the light 
beam is widened on the receiver arm. For a detailed discussion on how the atmosphere 
affects the light, one can refer to [HH]. Note that the atmosphere is almost transparent to 



^dn a phase encoding scheme, Alice encodes her information into the relative phase between two 
pulses [9]. 
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the visible light and it is a good medium for polarization maintenance. Later, we will see 
that the detector efficiency for visible light is normally higher than the one for telecom 
wavelength. Thus, in general, visible light is commonly chosen for free space based QKD. 



3.3.3 Detection 

For a detection system, four parameters are important. 

• i]b'- detection efficiency, including detector efficiency and the internal transmission 
(coupling) efficiency of optical components inside Bob's box. The typical detection 
efficiency for a telecom wavelength_| is 1 ~ 5%, while for a visible wavelength, it 
can be as high as 20%. 

• Y : background count rate (probability), including dark counts and other back- 
ground contributions. Note that if two detectors are used in a QKD system, then 
Yq should be the sum of the dark count rates of the two detectors in addition to 
other background contributions. 

• ed'- intrinsic detector error probability, which characterizes the alignment and sta- 
bility of the optical system. In our model, we assume that is independent of the 
transmission distance. 

• repetition rate: in practice, the repetition rate of detectors limits the key transmis- 
sion speed. The product of key rate R and repetition rate gives the key generation 
speed in bits/second. Normally, in an experiment, the laser pulses can be designed 
to be fast. The repetition rate is mainly limited by the detection system, e.g., the 
detector dead time and detection time-resolution. 



In the model, we assume that there are two main sources of QBER, one from Y , 
which depends on channel loss and the other from e^, which is independent of channel 
loss. 

Note that there are a few developments in building single photon detectors during 
recent years, such as superconducting materials based detectors |1UU] and up-conversion 
detectors [S3 UTT] 



2 Here, we consider a widely used detection system with single photon detectors based on InGaAs/InP 
avalanche photodiodes. 

3 This part is roughly determined by the ratio Yq/t). 
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Later in the simulations, we use setup parameters from the QKD experiment com- 
pleted by Gobby, Yuan and Shields (GYS) [32] • The key parameters of the experiment 
setup are listed in Table 13.11 



A [nm] 


P [dB/km] 


Vb 


e<j 


Y 


1550 


0.21 


4.5% 


3.3% 


1.7 x 10" 6 



Table 3.1: Parameters of the QKD experiment setup from GYS [32 



Chapter 4 
Decoy state 



The decoy state method was first proposed by Hwang [ID] to improve the performance 
of the coherent state QKD. We have proven the security of the QKD with decoy states 
[60] 172] [65] and demonstrated its practical advantage. In Hwang's original decoy state 
method, she suggested the use of a strong coherent state (with v > /x) for decoy states. 
In contrast, we propose using weak coherent states. Subsequently, some practical de- 
coy state protocols with only one or two decoy states are proposed [77]. We highlight 
that practical decoy state protocols were also proposed by Wang [1231 1124] . Harrington, 
Ettinger, Hughes and Nordholt [36] . 

The experimental demonstrations for the decoy state method have been completed 
recently P3H Q321 ESI Q3SI EEl Q2SI G2B1 • Note that aside from the decoy state method, we 
also studied other methods to improve the QKD performance, such as the dual detector 
scheme [93J. 

This work is published in Ref. [65]. By collaborating with Hoi-Kwong Lo and Kai 
Chen, I apply the GLLP security analysis to a decoy state QKD. With the model de- 
scribed in Section 13.21 I simulate a QKD experiment [32] to show the improvement given 
by using decoy states. 



4.1 Decoy state 

In this section, we present the QKD with decoy states. By simulating a real experiment 
setup, we compare two cases: a decoy and non-decoy state QKD. 
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4.1.1 Motivation 

As discussed in Section 12.51 in the GLLP security analysis, Alice and Bob need to deter- 
mine the portion of tagged and untagged qubits to implement privacy amplification. 

From Eq. (I2.6p . we can see that and can be measured or tested from the 
experiment. Alice and Bob need to estimate Qi and e\ to determine the amount of 
privacy amplification that is needed. 

On the other hand, as we presented in Section |3~2| Eve has full control of the channel. 
Thus, she might block out single photon states, which is not good for her attack and make 
the channel transparent to the multi photon states. Thus, one pessimistic assumption is 
that all losses and errors come from a single photon state [TDJ [35] . That is, set Y = 1 
and ei = for i > 2 in Eqs. (13.81) and (I3.10p . Thus, the estimations of Qi and t\ without 
decoy states are: 



Here, note that since Alice and Bob cannot distinguish vacuum (background) contribution 
and single photon state contribution^, they have to consider these two states together. 
For a vacuum qubit, since it is a random state, 5b = 5 P — 1/2. Thus, for the combined 
state (single photon state and vacuum state), we still have 5b = 5 P . 

Later in the simulation, we will see that the key rate and maximal secure distance 
of a coherent state QKD without decoy states are quite limited. In order to lower the 
amount of necessary privacy amplification, one needs to have a better estimation of Q± 
and e\. From Eq. (13.71) . we know that in order to estimate Q\, one needs to estimate Y\. 
Therefore, the question is: how can Alice and Bob estimate Yj and e\ accurately'? This 
is the motivation of the decoy state scheme. 



From the model described in Section l3~2l there are two observations. First, Y and e, can 
be changed by Eve, so they are unknowns to Alice and Bob. Secondly, and E^ can be 
determined by Alice and Bob. Thus, Alice and Bob need to estimate Y\ and e\ by using 
the knowledge of and E^. If Eqs. (13. 8 \ and (13. 10[) are just considered, then Alice and 



Qi >Q M 




(4.1) 




4.1.2 Solution 



Or, they cannot estimate the detection contributions from vacuum qubits, Qq. 
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Bob have to assume the worst scenario: all losses and errors come from the single photon 
state. 

We can see that Eqs. ( 13. 8ft and ( I3.10P are linear equations of Yj and Y^. In addition 
to the regular signal state, if Alice sends out extra pulses with different intensities, /i, 
they will obtain more than one linear equation in the form of Eqs. f !3.8j) and (13. 10p . Here 
comes the key assumption of the decoy state method: 



These extra pulses are called decoy states. In the infinite decoy case [65], Alice and Bob 

perform an infinite number of decoy states, and then they can solve an infinite number 
of linear equations to obtain Y\ and e\ accurately. We call this case the infinite decoy 
state protocol. Here, note that with the infinite decoy state, one can strictly show [61] 




that the beam-splitting channel model discussed in Section 13.2.21 is a valid assumption. 

An intuition on why this can be done: from Eqs. (I3.8P and (I3.10p . we can see that the 
contribution from high order terms of Yj and converge to exponentially^]. If one only 
focuses on Y\ and e±, the number of unknowns can be chopped off to a finite number. In 
the next chapter, we will see that one or two decoy states are sufficient for practical use. 
In the simulation, we will use Eqs. ( 13. 6p and (13. 9p for the infinite decoy state case. For 
a detailed procedure of the decoy state method, one can refer to Section 15.4.21 

In the following discussion, \x always refers to the intensity (expected photon number) 
of the signal state used for real key transmission. We will use v for the expected photon 
number of decoy states. 

4.1.3 Discussion 

In a large parameter regime when the background contribution can be negligible and the 
error rate is not large, the key rate is roughly in the order of R = O(firj) from Eq. (12. 6p . 

In Appendix IB.1.1[ we show that the optimal /i for the non-decoy state case is \x = 
0(rj). Thus, the key rate is R = 0(r] 2 ). That is, the key rate is quadratically dependent 
on the channel transmission. Note that in general, the channel transmission is quite 
low, typically less than 1%. This is the intrinsic reason why the performance of a QKD 
without decoy states is very limited. 

2 Actually, n! is quicker than exponential convergence. 



Yi(decoy) = Yi(signal) 
ei(decoy) = ei(signal). 



(4.2) 
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On the other hand, in Appendix IB.l.ll we show that the optimal [i for the infinite 
decoy state case is /x = 0(1). Thus, the key rate is R = 0(rj). That is, the key rate 
is linearly dependent on the channel transmission. Note that even with a perfect single 
photon source, the highest order the key rate can reach is R — 0(rj). Hence, with decoy 
states, one can treat a weak coherent state as a good single photon source for a QKD. 

Note that this conclusion is also true for other photon sources, e.g., triggering PDC 
sources [76] , see discussions in Chapter [7J 

4.1.4 Simulation 

We simulate a recent coherent state QKD experiment [52] • This is to compare the cases 
with and without decoy states. The parameters of the experiment setup are listed in 
Table O 

For both cases, the key rate formula is the same, see Eq. (12.61) . By using the Cascade 
protocol [16] . the error correction efficiency is f{E^) = 1.22. The gain and QBER 

can be measured or tested from the experiment. Therefore, for both cases, we use 
the same formulae, Eqs. (13.81) and (I3.10p . The estimations of Q\ and e\ are different. 
For the case without decoy states, we use the formulae of Eq. (14.11) . For the case with 
decoy states, we assume that Alice and Bob can estimate Qi and e\ accurately. In the 
simulation, we use the formulae of Eqs. (13. 6p and (13. 9p . 

As shown in Appendix IB. 11 we choose /i = 0.48 for the case with decoy states and 
/i = t] for the case without decoy states. The simulation result is shown in Figure 14. 11 

From the simulation result, we can see that the decoy state method can improve the 
QKD performance dramatically. 

1. With decoy states, the maximal distance can reach 142 km. For comparison, we 
find that with the prior art method, the maximal secure distance is only about 32 
km. 

2. At km distance, the key rates for decoy and no decoy cases are: 2.55 x 10 -3 and 
7.97 x 10 -5 . As we can clearly see, the gap between two curves increases when the 
distance increases. 

3. By comparing the upper bound of the key rate, which is discussed in the next 
section, one can see that in a large parameter regime (for instance, the distance 
between km and 120 km), the decoy state protocol can achieve a close performance 
as the upper bound shown in Section 14.2.21 
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Figure 4.1: Plot of the key rate as a function of the transmission distance, comparing 
the coherent state QKD with decoy states and without decoy states. The calculation of 
the upper bound is shown in Section 14.2.21 The experiment setup parameters are listed 
in Table 1331 

4. We checked that our results are stable to small perturbations of the background 
count rate Y and average photon number /i (both up to a 20% change). 

4.2 Upper Bounds 

As we mentioned in Section H. 2. 21 we are interested in maximizing two quantities, key rate 
and maximal secure distance. In this section, we investigate the upper bounds of these 
two quantities. By comparing the upper bound performance and the decoy state QKD 
performance, we want to investigate how much room is left for further improvement. 

4.2.1 Distance upper bound 

Due to a simple intercept-and-resend attack, an upper bound on the bit error rate of the 
BB84 protocol with single photon states is 25%. The maximal secure distance then can 
be bounded by the distance when the bit error rate of the single photon states t\ reaches 
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25%. According to our model, Eq. (13.91) : 

edV + \ Y o 
V + Yo 



ei 



where is the intrinsic error rate of Bob's detectors, r\ is the overall transmittance, and 
Yq is the background rate. Thus, e\ exceeds 25% when 

V < (4.3) 
' ~ 0.25 -e d K J 

In GYS [32] 's case, the upper bound of the secure distance is 208 km by considering the 
parameters listed in Table 13 . 11 



4.2.2 Key rate upper bound 

As for the BB84 protocol, the final secure key can only be derived from single photon 
qubits. To derive the upper bound of a key generation rate, we assume that Alice and Bob 
can distinguish the single photon qubits from other qubits (vacuum and multi photon 
qubits). Therefore, they can perform the classical data post-processing only onto the 
single photon qubits. One simple upper bouncjf of key generation rate is given by the 
mutual information between Alice and Bob |83j : 

R u = Q 1 [l - H 2 ( ei )], (4.4) 

where Qi and G\ are the gain and error rate of single photon states, respectively. The 
simulation result is shown in Figure 14. 11 

Note that the above two upper bounds, Eqs. (14.31) and (I4.4p . rely on two assumptions. 

• Alice and Bob cannot distinguish background counts and true signal counts. That 
is, they cannot decouple from e\ in Eq. (13. 9p . 

• A secure key can only be extracted from single photon states. This is true for BB84 
and many other protocols. An exception is the SARG04 protocol [101] . 

Note that these two bounds are general upper bounds, regardless of the technique 
used for combating the effect of imperfect devices, such as the decoy state technique. 



3 Note that this upper bound is true for any post-processing (based on 1-LOCC or 2-LOCC) Alice 
and Bob use in BB84. 
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4.3 Discussion 

First, from the simulation, we can see that the decoy state technique can dramatically 
improve the QKD performance. Later, we will discuss practical protocols for the decoy 
state QKD and experiment demonstrations. From there, we show that the decoy state 
method is highly practical. 

In comparison to the key rate upper bound, in a large distance regime (for instance, 
the distance between km and 120 km), the decoy state protocol achieves a close perfor- 
mance to the theoretical limit. Compared to the maximal secure distance upper bound, 
208 km, there is a 60 km gap between the theoretical limit and decoy state protocol. 
Later, by combining two-way classical communication post-processing schemes, we push 
this maximal secure distance for the infinite decoy state protocol beyond 180 km. From 
here, we can see that the decoy state protocol pushes the QKD performance close to the 
theoretical limit. 

Therefore, we expect the decoy state protocol to be a standard technique for prepare- 
and-measure QKD scheme implementations. 

Let us recap the key assumptions underlying the security proof for the decoy state 
QKD: first, there is the squash model and secondly, there is the assumption that Eve can- 
not distinguish decoy and signal states during key transmission. The second assumption 
is equivalent to Eq. (14.21) . Later in Section [5741 we can see that verifying this assumption 
is a nontrivial task in real experiments. On the other hand, in Chapter we show that 
this assumption can be loosened by using other single photon sources. 



Chapter 5 



Practical decoy state 

In this chapter, we will discuss practical proposals of the decoy state QKD and experi- 
mental demonstrations. Here again, we will focus on the coherent state BB84 QKD. 

The work of practical decoy state proposals is published in Ref. [77] . In this work, I 
apply the idea of the Vaccum+Weak decoy state protocol, which was first proposed by Lo 
[60] . and consider statistical fluctuations. Here, I would like to highlight the theoretical 
contributions to the practical decoy state QKD from other groups [361 H23[ 1124] . 

The work for the experimental demonstration is published in Refs. [1311 1132] . In this 
work, I designed the experimental parameters and analyzed data in the decoy state QKD 
experiment demonstration. Here, I would like to highlight the experimental demonstra- 
tions completed by other groups [MH £321 [991 [ffi3 M, fl29l fT28] . 

Note that aside from the decoy state method, we also studied other methods to 
improve the QKD performance, such as the dual detector scheme [93] . 

5.1 Practical proposals 

The general question in a decoy state scheme with m decoy states can be described by 
the following mathematical question. 

Question: Given 2(m + 1) constrains in the form of Eqs. (13. 8ft and ( 13. lOf) . 
how do we obtain the lower bound of R given by Eq. (12. 61) ? 

When m — > oo, Alice and Bob can solve Y\ and e\ accurately, in principle. This is 
the infinite case described in Section 14.11 

In the following, we will present three practical decoy methods, the Vacuum+Weak 
decoy state and one decoy state, and a numerical method. For a general discussion of the 
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two decoy state methods, one can refer to Ref . [77] . Note that in Ref . [77J , we proved that 
the Vacuum+Weak decoy state protocol is optimal within the two decoy state methods. 



5.1.1 Vacuum+Weak decoy 

In this method, two decoy states are performed to bound Y\ and e\ separately. First, 
Alice and Bob implement a vacuum decoy state where Alice simply shuts off her photon 
source. In this case, all detections that Bob obtains are background counts 

Q vacuum ^0 

1 (5-1) 

Ev ~ ~ 60 ~ 2 

The background counts occur randomly, thus its error rate is eo = 1/2. The vacuum 
decoy state allows Alice and Bob to estimate the background rate Yq. 

Secondly, they perform a weak decoy state where Alice uses a weaker intensity v 
(v < /i) for the decoy state. In this case, Bob's detections mainly come from two parts: 
background and single photon contributions. This is because when the intensity is weak, 
the probability of obtaining a multi photon state is small. With the estimation from the 
vacuum decoy state, one can estimate Y\ and e\ from the weak decoy state. 

Now, let us strictly solve the problem. The gains of the signal state and decoy state 
are given by Eq. (I3.8P 



2 3 

= Y + iTYi + y Y * + f[ y 3 + ■ ■ 

2 3 

Q v e v = Y + vY x + V -Y 2 + V -Y z + • • • 



(5.2) 



Considering fi Q u e u — v Q^e^, we find that: 

li 2 Q v e v - v 2 Q^ = (/i 2 - v 2 )Y Q + fiu(ji - u)Y 1 + ^ 2 ^—^Y 3 + ■ • • , (5.3) 



Y > Y, L = —t— 2 (Q v e» - Q,e»- 2 - ^^Y ) (5.4) 



thus: 

\w — v 1 n z jj, 

since v < fi and all G [0, 1]. 

The upper bound of t\ can be simply derived by Eq. (13.1 Oft : 

u _ E v Q v e v - e Y 



e 1 <e 1 = ^ . (5.5) 
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Substituting the normal case (without Eve) values, Eqs. (13.111) . into these estimations, 
in the limit of v <C //, we get: 

Y 1 L ^r ] + Yi 

(5.6) 

eiYi -» e Q Y + e d r] 

which is consistent with the expected value given by Eqs. (13.61) and (13.91) . Thus, asymp- 
totically, the Vacuum+Weak decoy method gives a tight lower bound of the key rate. In 
other words, the infinite decoy state protocol described in Section 14.11 is the asymptotic 
limit of the Vacuum+Weak decoy state protocol. 

Now let us examine how good these two bounds are by using the parameters listed 
in Table 13.11 Here, we define the deviation of the bounds: 



The simulation result is shown in Figure 15.11 

From the simulation, we can see that both deviations are relatively independent of 
the channel transmission distance. The deviation of ef is larger than the one of Y^. 
The choice of a weak decoy state v is not very constrained since even with vj\i m 1/4, 
the deviation is small. In Table I5TTI we can see that with vj\i « 1/4, the key rate from 
the Vacuum+Weak decoy state protocol achieves a very close performance of the infinite 
decoy state case. 



Distance 


Y l 


ei 


Rinf 


Yt 






km 


4.50 x 10" 2 


3.30% 


2.55 x 10~ 3 


4.34 x 10~ 2 


3.88% 


2.19 x 10~ 3 


70 km 


1.53 x 10" 3 


3.35% 


8.28 x 10" 5 


1.47 x 10" 4 


3.95% 


6.99 x 10" 5 


130 km 


8.55 x 10" 5 


4.23% 


1.96 x 10" 6 


8.23 x 10" 5 


4.91% 


1.24 x 10" 5 



Table 5.1: List of the simulation results for three distances: km, 70 km and 130 km, 
comparing the Vacuum+Weak protocol with the case of the infinite (asymptotic) decoy 
state. For both protocols, we use \i = 0.48. For the Vacuum+Weak decoy state protocol, 
we use v = 0.13. Parameters of the QKD experiment setup are listed in Table I3TT1 



Here, we compare Eqs. (13. 6L ( 13. 9ft . (15 Ah and (15.51) by simulating the GYS experiment. 
We can see that the deviation of the key rate given by the Vacuum+Weak decoy state 
protocol and infinite decoy state protocol increases when the distance reaches the maximal 
secure distance. Similar to the conclusion from Figure 15.11 the deviation of from Y\ 
is small throughout the whole distance regime. 



Pel = 




(5.7) 
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Figure 5.1: Plot of the relative deviations of and ef from the expected values (i.e., 
the case v — * 0) as functions of u/fj, with the fiber length 40 km (solid lines) and 140 km 
(dashed lines). The bounds and ef are given by Eqs. (15.41) and (15.51) . and the expected 
values are given by Eqs. (13. 6p and (13.91) . We consider the Vacuum+Weak protocol here. 
The expected photon number is \i — 0.48 from the optimization calculation of Eq. (IB.4I) in 
Appendix IB. 1.21 The experiment setup parameters are from GYS [32], listed in Table I3TT1 



5.1.2 One decoy 

In some realistic situations, a vacuum decoy state may not be easy to perform, or the 
background count rate cannot be estimated accurately due to the fact that Y is small 
(typically 10~ 5 ). Consequently, one needs to consider a case without the vacuum decoy 
state. That is, Alice and Bob only perform a weak decoy state. 

We treat the one decoy state method as an imperfect case of the Vacuum+Weak 
method. Assume that Alice and Bob perform the Vacuum+Weak decoy method, but 
they prepare very few states as vacuum decoy states. Therefore, they cannot estimate Y 
very well. The one decoy protocol is the same as a Vacuum+Weak decoy state protocol, 
except that the value of Yq is unknown. Since Alice and Bob do not know Yq, Eve can 
pick Y as she wishes. We argue that, on physical grounds, it is advantageous for Eve 
to pick Yq to be zero. This is because Eve may gather more information on the single- 
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photon signal than the vacuum. Therefore, the bound for the case Y = should apply 
to our one decoy protocol. For this reason, Alice and Bob can derive a bound on the key 
generation rate, R, by substituting Y = in Eqs. (15. 4p and (I5.5p . 

Mathematically, one can treat Y as an unknown variable in Eqs. (15.41) and (15.51) . and 
determine the lower bound of the key generation rate, Eq. ( I2.6p . for all possible Yq. By 
taking the derivative of Eq. (12. 6p . one can find that 



trial 



atrial 



E„Que u 

n 



(5.1 



trial . 



gives a lower bound of the key rate. 

Later, in the next subsection, we will present a numerical method to estimate the key 
rate R. Now we can compare Eq. (15. 8p with the numerical method by simulating the 
GYS experiment. In this case, we consider three distances: km, 70 km and 130 km. 



Distance 


^rtrial 


c trial 
e l 


Rone 


yn,um 


c num 
e l 


Rnum 


km 


4.34 x 10" 2 


3.89% 


2.19 x lO- 3 


4.36 x lO" 2 


3.84% 


2.22 x lO" 3 


70 km 


1.48 x 10" 3 


4.40% 


6.55 x 10" 5 


1.48 x lO" 3 


3.76% 


7.26 x 10" 5 


130 km 


9.93 x 10~ 5 


13.0% 





8.33 x 10~ 5 


4.34% 


1.65 x 10" 6 



Table 5.2: List of simulation results for three distances: km, 70 km and 130 km, 
comparing the one decoy state protocol with the numerical optimization method shown 
in the next subsection. For both protocols, we use /i = 0.48 and v = 0.13. Parameters 
of the QKD experiment setup are listed in Table 13.11 



By comparing Tables 15.11 and 15.21 we can see that the numerical method, shown 
in the next subsection, can give the highest key rate of the three practical decoy state 
protocols. However, note that all four methods; infinite decoy, Vacuum+Weak, one-decoy 
and numerical method, achieve a close QKD performance in a large parameter regime. 
Here, we have not considered the statistical fluctuations. After considering the statistical 
fluctuations, the simulation result is shown in Figure 15.31 



5.1.3 Numerical method 

Both the Vacuum+Weak and one decoy state protocols presented above bound Y\ and 
t\ separately. With reference to the original question that we were trying to solve in 
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the beginning of this section, what we really want to bound is the key rate of Eq. (12.61) 
instead of Y\ and e\ separately. 

One natural practical decoy state protocol will be a numerical solution to the question 
stated in the beginning of this section. To do that, one need to find the lower bound R 
of Eq. (I2.6P given the constraints of Eqs. (I3.8P and (13.101) : 



2 3 

= Y + iiY x + ^-Y 2 + ^Y 3 + 



Q v e v = Y + uY 1 



v 2 v 3 

Y Y 2 + ^Y 3 + -- 

,2 ,,3 



E^Q^e? = Y e + nY iei + ^Y 



3! 



(5.9) 



2 3 

E v Q v e v = Y e + vY x e x + ^-Y 2 e 2 + ^F 3 e 3 + • • • ■ 

The difference between the Vacuum+Weak and one decoy state protocols is whether Yq 
is known or not. 

In order to solve this question numerically, one needs to put a cut-off of Y\ and e^. 
Later in the simulation, we will consider a cut-off of i = 20. That is, Yi = = for 
i >= 20. Note that for i = 20 and fi = 1, the probability is P(20) = 1.51 x 10" 19 
according to the Poisson distribution of the source photon number given by Eq. (13. 3p . 
For a reasonable finite key transmission, the higher order terms can be neglected. 

We present the numerical solutions in Table 1531 by using the parameters in Table I3TT1 



Distance 


Y l 


Y 2 


Y 3 


ei 


e 2 


R 


km 


4.36 x 10" 2 


1.15 x 10" 1 


5.86 x 10" 13 


3.84% 


5.86 x 10" 13 


2.22 x 10" 3 


70 km 


1.48 x 10" 3 


4.01 x 10- 3 


5.45 x 10" 4 


3.76% 


4.47 x 10" 3 


7.26 x 10" 5 


130 km 


8.33 x 10~ 6 


2.15 x 10" 5 


5.86 x 10" 13 


4.34% 


3.17% 


1.65 x 10" 6 



Table 5.3: Comparison of the numerical result with the infinite decoy state (asymptotic) 
case and the Vacuum+Weak protocol. For all three protocols, we use /i = 0.48. For the 
two practical decoy state protocol, we use v = 0.1. Parameters of the QKD experiment 
setup from GYS 



Here, we have not considered the statistical fluctuations. From Table 15.31 we have 
following remarks: 

1. If we only consider Eq. (15.41) . Eve's optimal attack will be setting Yi = for i > 3. 



However, if we consider the numerical decoy state method as shown in Table 15.31 
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Eve might choose Yi ^ for i > 3(j. 

2. The result for the numerical decoy state method is relatively stable with a choice 
of a cut-off n. If we choose n = 30 or n = 40, the result fluctuates within 3%. Note 
that the numerical optimization algorithm that we used here might not be optimal. 



5.2 Statistical fluctuation analysis 

In this section, we will discuss the effect of finite data size on our estimation process for 
Y\ and e±. We will also discuss how statistical fluctuations might affect our choice of the 
weak decoy state intensity v. 

All real-life experiments are implemented within a finite period of time. Ideally, we 
would like to consider a QKD experiment that can be performed within, for instance, a 
few hours or so. This means that the experiment data size is finite. Shortly, we will see 
that the statistical fluctuation analysis is a rather complex problem. We do not have a 
full solution to the problem. Nonetheless, we will provide some rough estimation based 
on the standard error analysis which suggests that the statistical fluctuation problem of 
the practical decoy state methods for a QKD experiment appears to be under control, if 
the experiment is run over only a few hours. 



5.2.1 What parameters are fluctuating? 

Recall that in Eq. (12.61) . there are four key parameters: the gain and QBER of 
the signal state and the gain Q\ and error rate e\ of the single photon state. 

After key transmission, Bob can count the exact number of clicks and knows the total 
number of pulses. Hence, the gain of signal state Q M , the ratio of the aforementioned 
two numbers, is measured directly from the experiment. Therefore, they do not need to 
consider the fluctuation of Q^. 

In practice, Alice and Bob do not really need to sacrifice testing bits to estimate E^. 
They can directly apply some classical error correction code, for instance, the Cascade [IB] 
code, to correct all bit errors. Then they check whether the error correction is successful 
or noto Afterwards, they can calculate (if necessary) by counting the number of 
errors. Thus, there is no fluctuation for E^ as well. 



^dn the numerical result, we find that Y3 is always relatively small in comparison to I2, but the values 
of Yi for i > 4 are in the same order of Yi ■ 

2 This can be done efficiently by random parity check. 
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Thus, there is no fluctuation in the error correction part. The difficult part of the 
statistical fluctuation analysis is in the privacy amplification part. In the following dis- 
cussion, we will focus on the statistical fluctuation analysis of the Vacuum+Weak decoy 
state method. To show the complexity of the problem, we will now discuss the following 
five sources of fluctuations. 

1. In practice, the intensity of the lasers used by Alice will be fluctuating. In other 
words, even the parameters \x and v suffer from fluctuations. Without hard experi- 
mental data, it is difficult to pinpoint the extent of their fluctuations. Furthermore, 
the source may not even be a strict coherent state. To simplify our analysis, we 
will ignore their fluctuations in this thesis. 

2. Up until now, in our analysis, we have assumed that the distribution of the photon 
number eigenstates (Fock states) in each type of state is fixed, see Eq. ( 13.31) . For 
instance, if N signal states of intensity \x are emitted, we assume that exactly N [ie~^ 
out of the N signal states are single photons. In real-life, the value of /ie _/i is only 
a probability, the actual number of single photon signals will fluctuate statistically. 
This fluctuation is dictated by the law of large number. Hence, this problem should 
be solvable^. For simplicity, we will neglect this source of fluctuations in this thesis. 

3. The yield Yi may fluctuate in the sense that Yi for the signal state might be slightly 
different from Y- of the decoy state. Note that if one uses the vacuum state as 
one of the decoy states, then by observing the yield of the vacuum decoy state, 
conceptually, one has a very good handle on the yield of the vacuum component 
of the signal state (in terms of hypergeometric functions). However, note that the 
background rate is generally rather low (typically 10~ 5 ). Therefore, to obtain a 
reasonable estimation on the background rate, a rather large number (for instance, 
10 7 ) of the vacuum decoy states will be needed^. Note that, with the exception of 
the case % = (the vacuum case), neither Yi and Y[ are directly observable in an 
experiment. In a real experiment, one can measure only some averaged properties. 
For instance, the gain of the signal state, which can be experimentally mea- 



3 It was subsequently pointed out to us by Gottesman and Preskill that the above two sources of 
fluctuations can be combined into the fluctuations in the photon number frequency distribution of the 
underlying signal and decoy states. These fluctuations will generally be averaged out to zero in the limit 
of a large number of signals, provided that there is no systematic error in the experimental set-up. 

4 As noted in Ref. [65], even a 20% fluctuation in the background will have a small effect on the QKD 
performance. 
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sured, has its origin as the weighted averaged yields of the various photon number 
eigenstates Y^s whereas the Q u for the decoy state is given by the weighted aver- 
aged of Y-s. Relating the observed averaged properties, e.g., Q^, to the underlying 
values of l^s is a challenge. In summary, owing to the fluctuations of Y$ for % > 1, 
it is not clear to us how to derive a closed form solution to the problem. 

4. The error rates, e^s, for the signal can also be different from the error rates ejS for 
the decoy state, due to underlying statistical fluctuations. Actually, the fluctuation 
of ei appears to be the dominant source of errors in the estimation process. (See, for 
example, Table [5~4l ) This is because the parameter e\ is rather small (for instance, 
a few percent) and it appears in combination with another small parameter Y\ in 
Eq. flXTU]) for QBER. 

5. In the GLLP analysis [35] shown in Eq. (I2.6p . Alice and Bob need to correct phase 
errors, other than bit-flip errors. From Shor-Preskill's proof [106j . we know that 
the bit-flip error rate and the phase error rate are suppose to be the same only in 
the asymptotic limit. Therefore, for a finite data set, one has to consider statistical 
fluctuations. This problem is well studied |106j . Since the number of signal states 
is generally very large, we will ignore this fluctuation from now on. 

Qualitatively, the yields of the signal and decoy states tend to decrease exponentially 
with distance. Therefore, statistical fluctuations tend to become more and more impor- 
tant as the transmission distance of QKD increases. In general, as the distance of QKD 
increases, an increasingly larger data size will be needed for the reliable estimation of Y\ 
and e\ (and hence R), thus requiring a longer QKD experiment. 

Here, we will neglect the fluctuations due to the first two and the fifth sources listed 
above. Even though we cannot find any closed form solution for the third and fourth 
sources of fluctuations, it should be possible to tackle the problem by simulations. Here, 
we are content with a more elementary analysis. We will simply apply a standard error 
analysis to perform a rough estimation on the effects of fluctuations due to the third 
and fourth sources. Note that the origin of the problem is strictly classical statistical 
fluctuations. There is nothing quantum in this statistical analysis. While standard 
error analysis (using essentially normal distributions) may not give a completely correct 
answer, we expect that it is correct at least in the order of magnitude. 

Our estimation, which will be presented below, shows that for a long-distance (> 100 
km) QKD with our Vacuum+Weak decoy state protocol, the statistical fluctuations effect 
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(from the third and fourth sources only) appears to be manageable. This is so, provided 
that a QKD experiment is run for a reasonable period of time of only a few hours. Our 
analysis supports the viewpoint that our Vacuum+Weak decoy state protocol is practical 
for real-life implementations. 

We remark on passing, that the actual classical memory space requirement for Alice 
and Bob is rather modest (< 1G Bytes) because at long distances, only a small fraction 
of the signals will give rise to detection events. 

We emphasize that we have not fully solved the statistical fluctuation problem for 
the decoy state QKD. This problem has turned out to be quite complex. There is other 
work beinig done to address the statistical fluctuation problem in the decoy state QKD 



5.2.2 Standard Error Analysis 

In the following, we will present a general procedure for studying the statistical fluctua- 
tions (due to the third and fourth sources noted in the previous subsection) by using the 
standard error analysis. 

Denote the number of pulses (sent by Alice) for signal as N s , for the vacuum decoy 
state as N vac and for the weak decoy state as N w . Then, the total number of pulses sent 
by Alice is given by: 

N = N S + N vac + N w . (5.10) 
Following that, the parameter q in Eq. f)2.6p is given by: 

N 

q = —. (5.11) 

Here, we assume that Alice and Bob perform standard BB84, so there is a factor of 1/2. 

In practice, since N is finite, the statistical fluctuations of Qi and e\ cannot be 
neglected. All these additional deviations will be related to data sizes N s , N vac and N w 
and in principle, can be obtained from statistic analysis. A natural question prompted 
by such is as follows. Given the total data size N = const, how do we distribute it to 
N s , N vac and N w for maximizing the key generation rate Rl This question also relates 
to another one: how do we choose an optimal weak decoy v to give a good lower bound 
of m 

In principle, our optimization procedure should look like the following. First, one 
needs to derive a lower bound of Q\ and an upper bound of e\ (as functions of data 
size N s , N vac , N w and v\ taking into account statistical fluctuations. Secondly, one 
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substitutes these bounds into Eq. (I2.6p to calculate the lower bound of the key generation 
rate, denoted by R L . Thus, the key rate lower bound R L is a function of N s , N vac , N w 
and is, and will be maximized when the optimal distribution satisfies 

^ = ^1 = ^1 = 0, (5.12) 

ON, dN mc 3N W 

given that N — N s + N vac + N w = const. 

In this statistical fluctuation analysis, our assumptions are as follows: 

1. Alice knows the exact value of the average photon pair number /i and is, which is 
a fixed number during key transmission. 

2. The distribution of the photon number, Eq. ( 13. 31) . does not fluctuate. 

3. Assume that the QKD transmission is part of an infinite length experiment. Hence, 
Qn (Efj) can be regarded as a tested value of the true gain (QBER). Thus, we can 
use the standard error analysis to address statistical fluctuations. 

5.2.3 Choice of N s , N vac , N w and v 

From the theoretical deviations of Y\ and e\, shown in Figure 15.11 reducing v may de- 
crease the theoretical deviations. On the other hand, given a fixed N w , reducing is will 
decrease the number of detection events of the decoy states, which in turn, causes a larger 
statistical fluctuation. Thus, for fixed N s , N vac and N w , there exists an optimal choice 
of v which maximizes the lower bound of the key generation rate R L : 

ois 

which can be simplified to: 

|-{y; L [i - h 2 {%)]} = o (5.13) 

where and ef are lower bound to Y\ and upper bound to e\ when statistical fluctua- 
tions are considered. 

As defined in Eq. (15. lip , choosing a larger iV s leads to a larger factor q in Eq. (12.61) . 
On the other hand, choosing large values of N vac and iV^ can help with better estimations 
of Y\ and e%. Thus, there is trade-off between A^^, N vac and A^^. In order to achieve an 
optimal R, one needs to choose an appropriate set of values N s , N vac , N w and is. Given 
the total data size in Eq. (15.101) . in principle, one can solve Eqs. (15 . 12[) and (15.131) to 
get N s , N vac , N w and is. In the later simulation, we will numerically optimize these four 
parameters. 
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5.3 Simulation 

In practice, solving Eq. (I5.12p is a complicated problem. One problem that we have 
mentioned in Section [5.2. II is that the relations between N s , N vac , N w and estimations of 
Qi and e\ are difficult to describe strictly. In the following, we will be content with a rough 
estimation procedure using the standard error analysis. We will focus the Vacuum+Weak 
decoy method. 

One observation is that Alice and Bob should compare all their detection events of 
decoy states publicly. In principle, they can also use decoy states to generate the final key. 
Note that the signal state is chosen to be optimal for key rate generation. In other words, 
decoy states are not as efficient as signal states to generate the final key. Therefore, it is 
more efficient for Alice and Bob to use decoy states only for estimations of Y\ and e\. 

Two assumptions: 

1. We assume that the decoy state used in the actual experiment is conceptually only 
a part of an infinite population of decoy states. There are underlying values for 
Q v and E u as defined by the population of decoy states. In each realization, the 
decoy state allows us to obtain some estimates for those underlying Q v and E v . 
Alice and Bob can use the fluctuations of Q v , E v to calculate the fluctuation of the 
estimates of Yi and e\ . 

2. When the number of events (e.g. the total detection event of the vacuum decoy 
state) is large (for instance, > 50), we assume that the statistical characteristic of 
a parameter can be described by a normal distribution. 



We will use the experiment parameters in Table 13.11 and show numerical solutions of 
Eqs. (15.1 Op . (I5.12p and (I5.13p . We pick the total data size (the number pulses sent by 
Alice) to be N = 6 x 10 9 . The GYS experiment [32] has a repetition rate of 2 MHz and 



an uptime of around 50% j. Therefore, it should take only a few hours to perform our 
proposed experiment. The optimal \i = 0.48 can be calculated by Eq. (1B.4I) and we use 
/(e) = 1.22. 

In a fiber length of 103.6 km (77 = 3 x 10~ 4 ), the optimal weak decoy state intensity u, 
pulses distribution of data, and the deviations from the infinite decoy method are listed 
in Table El 



^Z. L. Yuan, private communication. 
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/ 




u 


N 


N s 


N va c 


N w 


103.62 km 


0.479 


10 


6 x 10 9 


3.98 x 10 9 


1.76 x 10 9 


2.52 x 10 8 


V 


V 


B[bits\ 


Pyo 


Pyi 


Pel 


Pr 


3 x 10" 4 


0.127 


2.17 x 10 4 


48.31% 


7.09% 


97.61% 


74.11% 



Table 5.4: List of the optimal choice of v and pulse number distribution for the Vac- 
uum+Weak decoy state protocol with statistical fluctuation analysis. The pulse number 
distribution, N s , N vac and N w , is calculated by Eq. (15.121) . The optimal weak decoy 
state intensity is calculated by Eq. (I5.13p . B is the lower bound of the number of the 
final key bits. All results are obtained by numerical programming using MatLab. The 
variable Pyi denotes the relative deviation in our estimation process of Y 1 from its true 
value by using the data from a finite experiment. This relative deviation originates from 
finite data with statistical fluctuations. This definition contrasts with the definition of 
Pyi in Eq. (15. 7\i which refers to the relative difference between the values of Y\ for case 
i) where v is finite and case ii) where v approaches zero. Similarly, other Ps denote the 
relative deviations in our estimates for the corresponding variables in the subscript of 
p. We assume that all the statistical fluctuation belongs to the confidence interval of 
u = 10 standard deviations (i.e., 1 — 1.5 x 10~ 23 ). The experiment parameters are listed 
in Table O 

For any fiber length, we can solve Eqs. (I5.12p and (I5.13P to get N s , N E , N vac , N w and 
v. Figure 15.21 shows how the optimal v changes with transmission distance. 

We have a few remarks on Figure 15.21 optimal v versus transmission distance. 

1. The optimal v is small (~ 0.1 < /i) through the whole distance. In fact, it starts 
at a value v m 0.04 at zero distance and increases with the transmission distance. 

2. There is small flat step at distance of 82 km. This is due to the fact that the vacuum 
decoy state becomes useful. From km to 82 km transmission distance regime, the 
optimal pulse number for the vacuum decoy state N vac is 0. That is, in this regime, 
one should use the one decoy state protocol instead of the Vacuum+Weak protocol 
protocol. 

3. As the transmission distance increases, the optimal v increases. This is reasonable 
because in a longer distance, the total transmittance 77 is low, thus Alice and Bob 



6 Actually, we did this simulation first and found this strange behavior at a distance of 82 km. Then 
we came up with the one decoy state protocol. 
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Figure 5.2: Plot of optimal v versus transmission distance. The solid line shows the 
simulation result of the Vacuum+Weak protocol (Eqs. f)5.4p and 05. 5 1) ) with statistical 
fluctuations. The dashed line shows the result for the one decoy state method (Eq. 05. 8p ). 
Here, we pick the data size (total number of pulses emitted by Alice) to be N = 6 x 10 9 . 
We find the optimal us for each fiber length by numerically solving Eqs. 05.1OI) . (15. 121) 
and 05.131) . The confidence interval for statistical fluctuation is 10 standard deviations 
(i.e., 1 — 1.5 x 10~ 23 ). The simulation parameters are listed in Table [37T1 The expected 
photon number of signal state /i = 0.48 is calculated by Eq. 0B.4j) . 



need to put more pulses for decoy states and choose a larger v to estimate Y\ and 
ei accurately. 

Now, we can put all these elements together to investigate the key generation rate R 
of Eq. 02.61) . Figure 1531 shows the key rate of the two practical decoy state protocols with 
statistical fluctuations in comparison to the infinite decoy state protocol (the asymptotic 
case). For each distance point, we optimize u, N s , N vac and N w numerically by considering 
Eqs. f l5TT2|) and 05+3]) . 

One can see that even taking into account the statistical fluctuations, both of the 
Vacuum+Weak and the one decoy state protocols can achieve close performance to the 
infinite decoy state protocol. Therefore, the following is noted: 
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Figure 5.3: Plot of key generation rate in terms of channel transmission distance. The 
dotted line shows the key rate of the infinite decoy state method (the asymptotic case of 
the Vacuum+Weak decoy state protocol). The solid and dashed lines show the key rate of 
the Vacuum+Weak and one decoy state protocol with statistical fluctuations respectively. 
The data size is N = 6 x 10 9 . The simulation parameters are listed in Table I3.ll The 
expected photon number of signal state /i = 0.48 is calculated by Eq. flB.4j) . 

1. In a large regime of the distance (for instance, the distance between km and 100 
km), the two practical decoy state methods with statistical fluctuations achieve a 
close performance of the asymptotic limit of the infinite decoy state method. This 
is the case when the channel is not that lossy, the statistical fluctuations are easily 
controllable. This fact highlights the feasibility of the two practical decoy state 
protocols. 

2. As shown in Figure l5\2l the vacuum decoy state becomes useful at 82 km. 

3. The maximal secure distances of the three curves are 142 km, 125 km and 122 km. 
Note that with a larger data size, for instance, iV = 8.4 x 10 10 , the maximal secure 
distance of the Vacuum+Weak decoy state method can achieve 132 km. 

We have also simulated other experiment setups and all the results are consistent 
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with the simulation result of the GYS experiment setup shown above. For more details, 
one can refer to Refs. [77J E3] • 



5.4 Experimental demonstrations 

The experimental demonstrations for the decoy state methods were first implemented by 
our group [33H [132] and followed by many other groups [99l ESI EE H-291 fl28] . 



5.4.1 How to generate decoy states 

The only difference of the decoy state QKD setup and the regular setup is that in the 
decoy state method, Alice needs to prepare decoy states, which have different intensities 
from the original signal states. Otherwise, the two setups are the same. The regular 
setup of the QKD without decoy states is discussed in Section 13.31 

There are several ways to generate decoy states. One way to do that is by using an 
attenuator to change the light intensity. There are two criteria for the attenuator. 

• The attenuator can change attenuations fast enough^. Alice needs to prepare a de- 
coy or signal state randomly in each pulse. Thus, the speed of changing attenuation 
should not be lower than the QKD repetition rate. 

• The attenuator will not introduce differences in properties for change of signal and 
decoy states except for intensities. This is one precondition for the security of QKD 
with decoy states, as shown in Eq. (14.21) . In a real experiment, one might need to 
apply some approximation. For example, an acousto-optic modulator (AOM) may 
shift the frequency of light. However, if we assume that both signal and decoy states 
will be shifted with the same amount of frequency, then we can still use AOM to 
prepare signal and decoy states. 

For more discussions of using AOM to prepare decoy states, one can refer to Ref . [131] . 

Another way to prepare decoy states is by using different laser sources [88J. In this 
case, Alice can choose signal and decoy states by switching between different laser sources. 
Similarly, we require the switch to be fast enough and laser sources having the same 
properties except for intensities. 



7 Or it can switch on and off fast. 
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5.4.2 Experimental data post-processing 

The processing of the decoy state QKD is as follows. 

1. Alice prepares decoy and signal states and sends them to Bob. Bob measures all 
pulses in the two conjugate bases. 

2. Bob announces the pulses that he obtains non- vacuum detections. Alice announces 
the pulses that are used for decoy states. Then they determine all the gains of 
signal and decoy states. 

3. They perform basis reconciliation. Note that even these detection events that Alice 
and Bob use different bases, can be used to calculate the gains of signal and decoy 
states. 

4. They compare all bit values decoy states to determine the QBER(s) of decoy states. 

5. Alice and Bob perform error correction and error testing, after which they can 
determine the QBER of signal states. 

6. They estimate the necessary amount of privacy amplification. Taking the Vac- 
uum+Weak decoy state protocol for example, they estimate Y\ and e\ by values of 
Qfj,, Ep, Q u , E v and Q vac - In this step, they need to consider statistical fluctuations, 
for instance, by the procedures described in Section 15.21 Then they can plug all 
the values in Eq. (12. 6p to calculate the amount of key that is needed to sacrifice for 
privacy amplification. Note that Eq. (12. 6p is for the post-processing with one-way 
classical communication. In the next chapter, we will show that this result can be 
improved by introducing two-way classical communication. 

7. They perform privacy amplification to get the final secure key. 

Here, we describe the case where the QKD transmission is successful. In practice, 
Alice and Bob can keep tracking whether the final key is positive or not to determine 
whether they should continue the post-processing or not. For example, after step 2, they 
can estimate Y\. If the lower bound Yi is zero (or even negative), then they abort the 
post-processing and start QKD again. 
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5.5 Conclusion 

The main conclusion of Chapters H] and [5] is that the decoy state QKD takes a big step 
toward practical quantum cryptography. Recall that the motivation of this thesis is to 
encourage QKD into real-life applications. 

Our result shows that we can have the best of both worlds: enjoy both unconditional 
security and record-breaking experimental performance. The decoy state method can 
increase key generation rate and extend the distance of QKD dramatically, all within 
the framework of unconditional security. The general principle of the decoy state QKD 
developed here can have widespread applications in other set-ups (e.g. open-air QKD or 
QKD with other photon sources). Later, we will come back to this point. 

For practical implementations, we are able to show that with only one or two decoy 
states, one can achieve most of the benefits of the decoy state method. All the decoy 
state QKD experiment demonstrations, including our first realization, show that the 
decoy state idea is easy to implement in real system setups. 

Recently, Yuan, Sharpe and Shields implemented an experimental decoy state QKD 
demonstration that can achieve a 5.51 kbits/s secure key rate through a 25.3 km fiber 
[129J. Let us compare this result to a couple of typical values in real-life communications. 
The state of the art digital speech coding [91] typically needs a bit rate around 4-10 
kbits/sec. A typical city wide area network must cover an area with a radius of 5-25 km. 
As for other communications, such as video conversation, the bit rate may not be high 
enough. We want to point out that the bit rate might not be an essential problem. One 
can store a long secure key first and then use it for secure communications^. 

Therefore, we conclude that the practical quantum cryptography is close to real-life 
applications. 

Note that other than the decoy state method, there are other approaches to enhance 
the performance of the coherent state QKD, such as our dual detector scheme [93], QKD 
with strong reference pulses [HJ 1110] and differential-phase-shift QKD [12] . 



8 One needs to consider the key management issue in this case. 
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Decoy state QKD with 2-LOCC 



As shown in the previous two chapters, the decoy state technique is an effective method 
for improving QKD performance. The data post-processing scheme of the decoy state 
QKD scheme that we proposed uses one-way classical communication. In this chapter, 
we develop two data post-processing schemes for the decoy state method using two-way 
classical communication. Our numerical simulation results show that the first scheme is 
able to extend the maximal secure distance from 142 km (by using only one-way classical 
communication with decoy states) to 181 km. The second scheme is able to achieve a 10% 
greater key generation rate in the whole regime of the distance. We conclude that the 
decoy state QKD protocol with two-way classical post-processing is of practical interest. 

Here, we only consider a case without statistical fluctuations. For a statistical fluc- 
tuation analysis for the decoy state QKD with local operations and two-way classical 
communication (2-LOCC), one can refer to Ref. |74j . 

This work is published in Ref. [71]. In this project, I applied the Gottesman-Lo's 
2-LOCC EDP and recurrence scheme to the decoy state QKD protocol and simulated a 
PDC experiment to show the improvement by using two-way classical communication in 
the decoy state QKD protocol. 



6.1 2-LOCC EDP 



First, let us review two EDPs based on 2-LOCC (Gottesman-Lo EDP and recurrence 
EDP) assuming that ideal single-photon (or perfect EPR) sources are used. Later, we 
will apply these two schemes to the decoy state QKD protocol. 
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6.1.1 Gottesman-Lo EDP 

Gottesman and Lo [M] introduced an EDP based on 2-LOCC for use with QKD and 
showed that it can tolerate a higher bit error rate than 1-LOCC based EDPs. B and P 
steps are two primitives in the Gottesman-Lo EDP, and the EDP consists of executing a 
sequence of B and/or P steps, followed by a 1-LOCC EDP. The main objective for extra 
B and P steps is reducing the bit and/or phase error rates of qubits so that the following 
1-LOCC EDP can work to extract secure keys. This is the reason why the Gottesman-Lo 
EDP is able to tolerate a higher initial bit error rate than 1-LOCC EDPs. The definitions 
of B and P steps £1X6 cLS follows: 

Definition of B step [34]: (Figure [67T]) After randomly permuting all the EPR pairs, 
Alice and Bob perform a bilateral XOR (BXOR) between pairs of the shared EPR pairs 
and measure the target qubits in Z basis. This effectively measures the operator Z (^) Z 
by Alice and Bob locally, and detects the presence of a single bit flip error. If Alice and 
Bob's measurement outcomes disagree, they discard the remaining EPR pair. Otherwise, 
they keep the control qubit. 



1 






— '4 




■4 


3 


Measure 







Figure 6.1: Alice and Bob each choose two qubits of two corresponding EPR pairs and 
input the quantum circuit as shown above. They discard both control and target qubits 
if they disagree on the outcomes of measurement on the target qubits. On the other 
hand, they keep the control qubits as surviving qubits if their measurement outcomes 
agree. 

Since the B step only involves the measurement of Z (^) Z, it can be used in the 
prepare-and-measure protocol, BB84. Classically, the B step simply involves random 
pairing of the key bits, for instance, x±,X2 on Alice's side and yi,y2 on Bob's side and 
the computation of the parity of each pair of bits, x\ © x<i and y\ @y2- Both Alice and 
Bob announce the parities. If their parities are the same, they keep x± and yi; otherwise, 
they discard x±, X2, yi and y2- We can see that the B step is very simple to implement 
in data post-processing. 
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Suppose Alice and Bob input a control qubit (g^, q^ , q± x , q^J^ and a target qubit 
(?oo' 9i0' ?ii> 9oi) w ith bit error rates and 5^ and phase error rates and <5j, respec- 
tively. After one B step, the survival probability ps is given by: 

Ps = (Qoo + Qoi ) (<?o T o + % T i ) + (<?i C o + ?u) (9h> + 0u) 6 ^ 

= (i-a?)(i + 



and the density matrix (<7q , q' w , q' n , q' Q1 ) of output control qubit is given by: 

<?oo 



^oo^oo + <Zoi?oi 



PS 



(6.2) 

gjogji + gugio 

%1 " ^ • 

Eqs. (16.21) can be derived from Table II of [13]. The corresponding bit error rate 5b and 
phase error rate 5 p can be obtained from Eq. (16. 2p by 

6 " gi0 + gn " PS (6.3) 

Sp = q'u + q'ov 

Definition of P step [34| : (Figure 16721) Alice and Bob randomly permute all the EPR 
pairs. Afterwards, they group the EPR pairs into sets of three, and measure XiX 2 and 
X1X3 on each set (for both Alice and Bob). This can be done (for instance) by performing 
a Hadamard transform, two bilateral XORs, measurement of the last two EPR pairs, and 
a final Hadamard transform. If Alice and Bob disagree on one measurement, Bob will 
conclude the phase error is probably on one of the EPR pairs which was measured, and 
do nothing; if both measurements disagree for Alice and Bob, Bob assumes the phase 
error is on the surviving EPR pair and corrects it by performing a Z operation. 

Without a quantum computer, Alice and Bob are not able to perform P steps by 
the quantum circuit shown in the left hand side of Figure 16.21 In order to implement 
P steps classically, they can choose a post-processing scheme that does not rely on the 
measurement result from P steps. That is, they can implement the right hand side 



1 The superscript C and T stand for the control and target qubits, respectively. The subscript 00, 10, 
11 and 01 stand for the case with no error, with a bit error, with both a bit and a phase error, and with 
a phase error, respectively. 
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H- Meas. 



H- Meas. 



Figure 6.2: The two circuits are quantum mechanically equivalent. Alice and Bob each 
choose three qubits of three corresponding EPR pairs and input the quantum circuit as 
shown above. This figure is originally from Ref. [3] 



quantum circuit of Figure [6T21 by simply omitting the measurement step. Thus, when a P 
step is implemented classically in BB84q the phase errors are not detected or corrected 
(i.e. the phase flip operation Z is not applied). Note that the measurement step in Figure 
16.21 is not important because the phase errors do not need to be corrected in QKD [106] . 
The phase error correction is used in the security proof. One only needs to show that 
Alice and Bob could have done the phase error correction but not really need to do it. 
From this point of view, P steps are conceptually similar to the privacy amplification. 

The P step then will be reduced to where Alice and Bob randomly form trios of the 
remaining qubits and compute the parity of each trio, for instance, x± © x<i © 23 by Alice 
and yi © y2 © 2/3 by Bob. They now regard those parities as their new bits for further 
processing. 

Since before P steps, Alice and Bob will perform random permutation, for simplicity, 
we assume the input three qubits have the same density matrix: (g o, Q10, Qu, Qoi)- After 
one P step, the density matrix (q' 0Q , q' 10 , q' u , q' m ) of the output qubit is given by: 



<?oo = <?oo + 3 <?oo<?oi + 3gi (g o + <?oi) + 6g o<?io<?n 
Q10 = Q10 + 3 9io?n + 3 9oo(<?io + qu) + 6g ogio<?oi 
Q11 = <?ii + 3<?io<7ii + 3qli (qw + qu) + 6g o<?n<?oi 
<?oi = <?oi + 3<?oo<?oi + 3?n(goo + ?oi) + 6<?io<? u <?oi, 



(6.4) 



which is given in Appendix C of [M]. Therefore, the bit error rate and phase error rate 
will be given by: 



Q10 
q'u 



Qu 
Qoi 



34(1 
3^(1 



S b ) 2 + 6, 
S p ) + 51 



(6.5) 



2 Strictly speaking, this procedure is different from the original P step we described. For simplicity, 
we use the same name for this simplified version of the P step. 
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Here, we emphasize that the B and P steps are important elements of the Gottesman- 
Lo EDP. After the B and P steps, the Gottesman-Lo EDP will be the same as the regular 
1-LOCC EDP. 

6.1.2 Recurrence EDP scheme 

Here, we review another two-way EDP, the recurrence scheme |118j . Similar to the B step 
in the Gottesman-Lo EDP, the recurrence scheme reduces the bit error rate of the EPR 
pairs before passing them to the 1-LOCC based EDP for the distillation of maximally- 
entangled EPR pairs. However, there are two main differences between these two EDP 
schemes. The first is how the bit error syndrome of a target EPR pair in a bilateral 
XOR operation is learned. In the Gottesman-Lo EDP, Alice and Bob simply measure 
the target EPR pair in the Z basis and compare their results to learn about the bit 
error syndrome (see Figure 16.11) . In the recurrence scheme, Alice and Bob group the 
bit error syndromes of all target EPR pairs together and learn about all the syndromes 
using random hashing. The second difference is that the recurrence scheme requires some 
extra maximally-entangled EPR pairs to begin with in order to learn about the bit error 
syndromes, whereas no such extra pairs are required in the Gottesman-Lo EDP. Note 
that the recurrence methods were studied in various papers, such as [221 ESI El [21] • 
The procedure of the recurrence protocol is described as follows: 

1. Alice and Bob perform two BXOR operations on two noisy EPR pairs and one 
perfect maximally-entangled EPR pair. Specifically, the first BXOR is performed 
on one noisy EPR pair as the source and the perfect EPR pair as the target, and 
the second BXOR is performed using the other noisy EPR pair as the source and 
the same target. 

2. They perform random hashing on the target EPR pairs to learn about the parities 
of the noisy EPR pairs. Note that only a portion of the target EPR pairs have to 
be measured in order to learn about all the parities. This is different from the B 
step approach. 

3. They perform error correction and privacy amplification separately for even-parity 
and odd-parity EPR pairs. 

In the prepare-and-measure scenario, the first two steps are as follows: Alice and 
Bob randomly pair up the key bits, and for each pair they compute the parity. They 
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each compress their own sequence of parities by using random hashing, encrypt the 
resulting hash values using the one-time pad with some pre-shared secret bits, and send 
the encrypted results to each other. Note that they use the same sequence of secret bits to 
encrypt their own sequence of hash values. They learn about the parities of the original 
noisy EPR pairs by adding the other party's encrypted sequence to their own encrypted 
sequence of hash values. Once they know the parities, they perform error correction and 
privacy amplification on the even-parity and odd-parity key bits separately. Note that 
the secret bits used up in the process should be returned to the secret bits pool by using 
the newly generated secret bits. 

The key generation rate using the recurrence EDP with a single-photon source is 
given by: 



where q is defined similarly as in Eq. fl2.4p . p$ is the probability of obtaining even parity 
given m Eq. ([Oil , and 5g is the bit error rate of the control (target) EPR pair. 
Here, the first term in the bracket corresponds to the extra perfect EPR pairs borrowed, 
the second term corresponds to error correction, and the third term K corresponds to 
the privacy amplification given in Eq. (1A.12I) . In Appendix \K.2\ we review the recurrence 
EDP in detail and develop a key rate formula. 

6.1.3 Bounds of error rates 

Here, we will consider the bounds of error rates (bit error rate 5b and phase error rate 
5p), assuming a laser source that emits a basis-dependent single-photon source. The 
upper bounds can be derived by considering some simple attacks (such as intercept- 
resend attack) and determining the QBER caused by these attacks. The lower bounds 
can be determined by the unconditional security proof assuming that Eve is performing 
arbitrary attacks allowed by the law of quantum mechanics, and Alice and Bob employ 
a certain post-processing scheme (such as Gottesman-Lo EDP described in Subsection 
I6.1.ip . One lower bound, obtained by considering Gottesman-Lo EDP, is 18.9% |34j . For 
BB84, an upper bound, obtained by considering an intercept-resend attack, is 25%. 

Here, we consider the lower bound in a general setting where the error rates are 
characterized by (5b, 5 P ). In general, the bit error rate 5b can be measured by error testing, 
but the phase error rate 5 P cannot be directly observed from the QKD experiment. In 
order to guarantee the security, Alice and Bob have to bound 5 P with the knowledge of 




(6.6) 
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5b- For BB84 with an ideal single-photon source, due to the symmetry between the X 
and Z bases, one can show that the bit error rate and the phase error rate are the same, 
i.e. 

5 b = 5 P . (6.7) 

In general, for other protocols or with non-ideal sources (including coherent state sources), 
the bit and phase error rates might be different. For example, even for BB84, when a 
basis-dependent source is used, Eq. (16.71) may not hold. In this case, according to Eq. (9) 
of [50], due to the concavity of the right hand side of the equation, it is not difficult to 
show (see Appendix IA.3j) that 5b and 5 P have the relation of 



y/F<yJ{\- 5 b )(l - 5 P ) + v^p, (6.8) 

where F is the fidelity between the two states with two bases (X and Z) sent by Alice, 
and it is the single parameter that characterizes the basis dependency of the source. 
Thus, Alice and Bob can upper bound 5 P (denoted as 5T) with this inequality given 5&. 
Clearly, when 5 P = 5b, the inequality will be always satisfied, i.e., 5 P = 5b is a particular 
solution of Eq. (16. 8p . Therefore, in general, we have 5™ > 5 p . In the following, we use 5 P 
to denote the upper bound 5^ for simplicity. 

Given a QKD protocol and laser source, Alice and Bob can estimate the phase error 
rate 5 P from the bit error rate 5b in accordance to the protocol and source. We investigate 
the highest error rates that a data post-processing scheme can tolerate. Figure 16.31 
shows the tolerable error rates of the Gottesman-Lo EDP compared to the 1-LOCC 
EDP scheme, illustrating the superior performance of the Gottesman-Lo EDP over the 
1-LOCC EDP. The boundaries of the error rates are found by searching through the 
regime of: 

5b< 5 P 

(6.9) 

5 b + 5 P < 1/2 

such that positive key rates are obtained. The reason that we are interested in the region 
specified by the second inequality in Eq. (16.91) is as follows: We can assume that the 
error rates 5b and 5 P are less than 1/2, otherwise Alice and Bob can flip the qubits. 
Furthermore, if 5b + 5 P > 1/2, the (worst scenario case) state shared by Alice and Bob 
is a separable state [T3] and the Gottesman-Lo EDP cannot distill any pure EPR pairs 



The input to the Gottesman-Lo EDP is (q 00 , q w , qu, g i) with q 0Q + q w + g n + g i = 1? 
see Subsection 16.1.11 However, Alice and Bob only know 5b = q±o + qu and 5 P = qu + g i 
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from their error testing. There is one free parameter g n . In Appendix C of [34] , the 
authors proved that qu = is the worst case when 5b = 5 P . Following that proof, we can 
show that qu = is the worst case when the condition of Eq. (I6.9P is satisfied. That is, 
given (5b, 5 P ), if we check the input (1 — 5b — 5 P , 5b, 0, 5 P ) for the Gottesman-Lo EDP and 
obtain a positive key rate, then we can safely claim that the Gottesman-Lo EDP can 
tolerate the error rates of (5b, 5 P ). 

To determine the tolerable bit error rate of a particular protocol, one should first 
obtain the relationship between the bit error rate and phase error rate, and plot it on 
Figure [6731 The intersections between this curve and the boundary curves (the 1-LOCC 
curve and Gottesman-Lo curve) indicate the tolerable QBER for the corresponding EDPs. 
For example, for the BB84 protocol with a perfect single-photon source, we have 5b = 5 P , 
which is the dashed line plotted in Figure 16.31 We can immediately read off from the 
figure that an initial bit error rate of 18.9% is tolerable using the Gottesman-Lo EDP 
[51], while an error rate of 11.0% is tolerable using the 1-LOCC EDP. In general, the 
Gottesman-Lo EDP gives rise to higher tolerable error rates than the 1-LOCC EDP. 

We numerically optimize the B/P sequence up to 12 steps. The result is shown in 
Figure 16.31 

For protocols having constraints on qu, such as the six-state protocol [17] and the 
S ARG04 protocol with a single-photon source [1011 11091 [28] , the tolerable QBER can go 
beyond the boundary curves shown in Figure 16.31 

6.2 Decoy + GLLP + Gottesman-Lo EDP 

In this section, we propose a 2-LOCC based data post-processing protocol in a form of 
a sequence of B steps, followed by 1-LOCC error correction and privacy amplification. 
This new scheme is a generalization of the Gottesman-Lo scheme to a case of imperfect 
devices. The reasons for skipping P steps here are as follows. First, from the simulation 
in Section I6.1.3[ we found that P steps are not as useful as B steps. Secondly, only 
considering B steps can simplify the procedure of the data post-processing scheme. 
The residual ratio of a post-processing scheme, r, is defined by: 

R = qQ p r (6.10) 

which characterizes the cost of the post-processing scheme. 

The procedure of the data post-processing scheme, Decoy + GLLP + B steps, is as 
follows: 
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Figure 6.3: Plot of the secure regions in terms of error rates for the 1-LOCC EDP and 
Gottesman-Lo EDP. The regions under the solid lines are proven to be secure due to 
1-LOCC EDP, and Gottesman-Lo EDP schemes (for the region under the solid line and 
dashed line), respectively. For 1-LOCC EDP, we use Eq. (12.41) . For Gottesman-Lo EDP, 
we use Eqs. (16. 2 p and (16.41) . In the Gottesman-Lo EDP, we numerically optimize the B/P 
sequence up to 12 steps. 

1. Alice and Bob perform a sequence of B steps to the sifted key. During this proce- 
dure, they will discard a large ratio of the key. The survival key bit ratio is defined 
to be tb- 

2. They calculate the variables (such as QBER, untagged qubits ratio) after the B 
steps. 

3. They perform an overall error correction, corresponding to the first term in 
Eq. flSTTTj) . 

4. They perform privacy amplification, corresponding to the second term in Eq. (16. lip . 

In the following, we will discuss how the residue of this post-processing scheme is calcu- 
lated. 
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In the model described in Section 13.21 there are three kinds of qubits: vacuum, single 
photon and multi photon qubits. We emphasize again here that the final secure key can 
only be distilled from untagged qubits (single photon qubits) for the BB84 protocol. 

Since either of the two inputs of a B step has three possibilities, the outcomes of 
a B step then have nine possibilities. Only the case where both inputs are untagged 
qubits will there be a positive contribution to the final secure key. That is, at the end of 
some B steps, bit error correction and privacy amplification can be only applied to the 
remaining qubits that come from the case where both inputs are untagged qubits. In 
other words, an output qubit after a subsequence of B steps is "untagged" if a) it passes 
all B steps and b) it is generated from a case where all initial input qubits are single 
photon qubits. Therefore, the residue ratio of data post processing can be expressed, 
according to Eq. (12.61) . as: 

r = r B {-f(6)H 2 (5) + Q[l - H 2 (5; nta ^ ed )]} (6.11) 

where 5 is the remaining QBER, ¥b is overall survival residue, Q is the fraction of 
untagged states in the final survival stateaj and ^ nta 99 ed is the phase error rate of the 
untagged states, after a sequence of B steps. In the following, we will show how these 
variables change with the performing of B steps. 

An arbitrary B step: Let us consider how the various quantities (fraction of un- 
tagged states Q, QBER of overall surviving states S, bit error rate S un t agg ed and phase 
error rates S p of the untagged states) are transformed under one step in a B step sequence. 

Prior to a B step, the fraction of untagged states is Q, the overall QBER is 5, the 
bit error rate of the untagged states is 5 un t ag ged, and the phase error rate of the untagged 
states is 5 P . According to Eq. (16.11) . the overall survival probability ps and the survival 
probability of the untagged states p^ nta " ed after one B step are given by: 

ps = [S 2 + (1 - 5) 2 } 

6.12 

untagged rr2 _l_ f1 A ~\ 2"! 

PS ~ ["untagged ' K 1 ~ °untagged) J- 

Then the residue after one B step is given by: 

r B = ^Ps (6-13) 

where the factor 1/2 stems from the the fact that Alice and Bob only keep one qubit 
from a survival pair. Subsequently, after a B step, the fraction of untagged states fl' is 



3 Without B steps, n = Qi/Q^. 
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given by: 

r>2 untagged 

n> = - ' Ps . (6.i4) 

Ps 

Overall QBER: the change of the overall QBER 5' is given by: 

t = P + fi-sr - (6 ' 15) 

Untagged states: before the first B step, the initial density matrix of the untagged 
state is (1 — 2e± + qn, t\ — qn, qn, t\ — qn), where t\ is the error rate of single photon 
states. From Appendix C of [31], we know that qn = is the worst case for B steps. 
Thus we can conservatively choose (1 — 2e±, ei, 0, ei) as the initial input density matrix. 
If only B steps are performed, qn = will always be satisfied, according to Eq. (16. 2p . 
Therefore, the input untagged qubits for any round of B steps has the form of 

{Qoo, Qio, Qoi) = (1 ^untagged &p, ^untagged, 

0,S P ). (6.16) 
The bit error rate of untagged state S' untagged only depends on the input 5 unta gged, 

r/ _ "untagged /„ -. -a 

"untagged s.2 _|_ M _ A ,"\2' l ' 1 '/ 1 

u untagged ' V 1 ^untagged) 



According to Eqs. (16. 2p . (I6.3P and (16 . 1 6j) . the phase error rate of untagged states is 



5'p = Qn + Voi 

= (gio + gn) 2 + (goo + goi) 2 ( 6 - 18 ) 

25p (1 ^untagged &p) 
^untagged + — ^untagged) 2 

Eqs. (I6.12p -( l6.18p are valid for a general B step. Alice and Bob can perform a se- 
quence of B steps as described above and then perform the error correction and privacy 
amplification. Once all of these quantities are obtained, the key generation rate can be 
calculated from Eq. (16.111) . 

To illustrate the improvement made by introducing B steps, we simulate the GYS 
experiment [32] , whose parameters are listed in Table 13.11 Similar to the simulations in 
previous chapters, we use /(e) = 1.22 for the error correction efficiency |16j . 



From Figure [6T4| we can see that there is a non-trivial extension of the maximal secure 
distance after introducing B steps. Note that the key rate of the decoy state protocol 
with 1 B step is higher than the one with 1-LOCC from a distance of around 132 km. 
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The maximal secure distance using 4 B steps is 181 km, which is not far from the upper 
bound of 208 km, given in Section 14.2.11 Even with only 1 B step, the maximal secure 
distance can be extended from 142 km to 162 km. Thus, B steps are useful in QKD data 
post-processing. 



10"' 



10" 



10 



10" 



c 
o 

cs 

a5 10" 
c 

CD 

a> 

CD 10" 



10" 



10" 



10" 




GLLP+Decoy 
GYS 



3 B 



4 B 



20 40 60 80 100 120 140 160 
Transmission distance [km] 



180 200 220 



Figure 6.4: Plot of the key rate as a function of the transmission distance with the 
data post-processing scheme of GLLP+Decoy+B steps. The simulation parameters are 
from the GYS experiment [32J listed in Table I3.ll The GLLP+Decoy+B steps scheme 
suppresses the one with 1-LOCC at a distance of 132 km. The maximal secure distance 
using 4 B steps is 181 km, which is not far from the upper bound of 208 km. Note that 
B steps are useful only at rather long distances (over 132km). 



6.3 Decoy + GLLP + Recurrence EDP 

In this section, we will present another data post-processing scheme based on the recur- 
rence scheme |118] , which is reviewed in Section 16.1.21 Our scheme is a generalization of 
the recurrence scheme to the case of imperfect sources. 

Here, we will use the extended GLLP formula, Eq. (12.71) . in Section [2.5.31 Again, we 
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use the definition of the residual, Eq. (16.1 Oft : 

r = -h(ps)H 2 (p s ) - \psf{— )H 2 (—) +J2^ K ^ (6-19) 
* * Ps Ps ~^ 

where p$ is the even parity possibility given in Eq. (1A.2j) with 5^ = 5j = 5, 5 is the 
overall QBER before the recurrence, /(•) is error correction efficiency, and Ki are the 
probability and the residue of the qubit groups with label i after privacy amplification, 
respectively. 

In the post-processing, Alice and Bob first check the parity, corresponding to the 
first term of Eq. ( 16 . 1 9f) . Secondly, they apply an overall error correction to the qubits 
with even parity, corresponding to the second term of Eq. (I6.19p . Thirdly, they measure 
one of the qubits in the pairs with odd parity to obtain the error syndrome of another 
qubit. Afterwards, they can group the surviving qubits into several groups with labels i. 
Finally, they perform privacy amplification to each group with label i, corresponding to 
the last term of Eq. (16.191) . 

In the decoy state protocol, there are three kinds of input qubits: vacuum qubits 
(V), single-photon qubits (S) and multi-photon qubits (M). The input parameters for 
recurrence are listed in Table 16.11 



Qubit 


Fraction 




S p 


<?n 


V 


n v 


1/2 


1/2 


?E 


s 




ei 


ei 


a 


M 




eM 


1/2 





Table 6.1: List of the parameters of three kinds of input qubits for the recurrence scheme. 
Following Eqs. H3 . T|) and (I3.8p . the fractions of each group are given by fly — Qo/Q^ 
^ = Qi/Q^ an d = 1 — — ^- ^V/2 + e\Vt + eM^M = 5 is the overall QBER. 

Thus, the outcome of one round of recurrence will have nine cases. Clearly, if neither 
input is a single photon qubits, the outcome will have no contribution to the final key. 
Alice and Bob need only apply Eq. (1A.12I) to calculate the residues, Ki, for the five cases: 
y©5,5©y,S05,5©M,M05. The probabilities of occurrence, Vt h for the five 
cases are VtyVl, QQy, Q 2 , QQm > ^m^, respectively. Once we know Ki and we can then 
determine the overall residue, r, using Eq. (I6.19P (details are shown in Appendix IA.4I) : 



r>-B + C-F a 



(6.20) 
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where 



B = 




1 5 2 5 2 
H 2 (ps) + - Ps f(-)H 2 (-) 
1 Ps Ps 


C = 


-fiyfi + £7 2 (1 — ei + e\) + -QQ M (2 — e x — e A / + 2eiejw 


D 1 = 




+ hl 2 {2 - ei) + -OQ M (2 - e M ) 


D 2 = 




+ ^fi 2 (l + ei) + -fifijif (ejw + 1) 


F a = 


£>i(l- 


e 1 ) J ff 2 (^^)+ J D 2 e lJ ff 2 (-) 
1-ei ei 



with equality when = 1/4 and qf[ = e^.//2. In order to get a lower bound of key 
generation rate R, we maximize F a over a by using a bisection method as discussed in 
Appendix IA.41 




180 



Transmission distance [km] 

Figure 6.5: Plot of the key generation rate as a function of the transmission distance, 
GLLP+Decoy+Recurrence vs. GLLP+Decoy+l-LOCC. Recurrence improves the QKD 
performance over 1-LOCC in the whole regime of the distance. In particular, the recur- 
rence method increases the key rate by more than 10% in our simulation. The maximal 
secure distance for each case is 142.8 km (1-LOCC), 149.1 km (Recurrence), 163.8 km (1 
B), respectively. Here, we consider the asymptotic decoy state QKD with an infinitely 
long experiment. The parameters used are from the GYS experiment [32] listed in Table 
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Figure 16.51 shows the key generation rate as a function of the transmission distance 
for GLLP+Decoy+l-LOCC, GLLP+Decoy+1 B step, and GLLP+Decoy+Recurrence. 
Recurrence has more than a 10% improvement of the key rate over 1-LOCC in the whole 
regime of the distance, and it also increases the maximal secure distance by 6 km. 

6.4 Conclusion 

We have developed two data post-processing schemes for the decoy state QKD using 2- 
LOCC, one based on B steps and the other based on the recurrence method. As discussed 
in Section 11.2.21 the maximal secure distance of QKD is crucial in practical applications, 
thus our Decoy+B steps post-processing protocol, which we have shown to be able to 
increase the maximal secure distance of QKD from 141 km to 182 km (using parameters 
from the GYS experiment [32]), proves to be useful in real-life applications. Moreover, 
our work shows that recurrence protocols are useful for increasing the key generation rate 
in a practical QKD system in the whole regime of the distance. 

In Ref. |74j . we also show that similar conclusions hold even with statistical fluc- 
tuations in the experimental variables for the Decoy+B step scheme. For the De- 
coy+ Recurrence scheme, although we do not have a rigorous argument, physical intuition 
suggests that similar conclusions hold in the case of considering statistical fluctuations 
as well. We conclude that using two-way classical communication is superior to using 
one-way for our decoy state QKD schemes. 

In addition, we provided a region of bit error rates and phase error rates that are 
tolerable by using the Gottesman-Lo EDP scheme. 



Chapter 7 

Triggering PDC QKD 



Parametric down-conversion (PDC) sources can be used for QKD. One can use a PDC 
source as a triggered (heralded) single photon source. Recently, there are various practi- 
cal proposals of the decoy state QKD with triggering PDC sources. In this chapter, we 
generalize the passive decoy state idea, originally proposed by Mauerer and Silberhorn. 
The generalized passive decoy state idea can be applied to cases where either threshold 
detectors or photon number resolving detectors are used. The decoy state protocol pro- 
posed by Adachi, Yamamoto, Koashi and Imoto (AYKI) can be treated as a special case 
of the generalized passive decoy state method. By simulating a recent PDC experiment, 
we compare various practical decoy state protocols with the infinite decoy protocol and 
also compare the cases using threshold detectors and photon-number resolving detectors. 
Our simulation result shows that with the AYKI protocol, one can achieve a key genera- 
tion rate that is close to the theoretical limit of the infinite decoy protocol. Furthermore, 
our simulation result shows that a photon-number resolving detector does not appear 
to be useful for improving the QKD performance in this case. Although our analysis 
is focused on the QKD with PDC sources, we emphasize that it can also be applied to 
QKD setups with other triggered single photon sources. 

This work is presented in Ref. [76]. In this work, I modeled the QKD setup with 
triggered PDC source following the work of Liitkenhaus [70] and compare various decoy 
state proposals of triggering PDC QKD. 



71 



Chapter 7. Triggering PDC QKD 



72 



7.1 Background 

The coherent state QKD suffers from photon- number splitting (PNS) attacks [3H1 EEHJ E] • 
As discussed in Section 14.11 a main objective of the decoy state method is to close this 
loophole of multi photon components in QKD sources. Decoy states can help better 
estimate the channel properties (e.g., transmittance and error provability). To do that, 
Alice uses extra states with different light intensities during key transmission. Then 
Alice and Bob can consider detection statistics from signal and decoy states separately, 
from which they can better estimate the channel transmittance and error probability. 
The situation where Alice actively prepares decoy states is called the active decoy state 
method, which is differentiated from the passive decoy state method where Alice chooses 
decoy and signal states by passive measurements. A detailed discussion about the passive 
decoy state can be found in Section [7.4.41 Note that in the coherent state QKD, one can 
only use the active decoy state method. 

Aside from a coherent state source, a PDC source can be used in a QKD experiment 
as well. There are two ways to use a PDC source. The first is to use it as a triggered 
(heralded) single photon source. Alice detects one of the two modes from a PDC source 
as a trigger and actively encodes her qubit information into another mode. We call this 
implementation triggering PDC QKD. The second way is to use it as an entangled photon 
source for entanglement-based QKD protocols. See Chapter [S] for more discussion. We 
call this implementation entanglement PDC QKD. 

The triggering PDC QKD, similar to the coherent state QKD, suffers from PNS 
attacks. By applying the GLLP security proof, one can find that the optimal average 
photon number \i is in the same order of the overall transmittance 77. Then the key 
generation rate will be in the order of rj 2 . For a rigorous derivation, one can refer to 
Appendix IB.21 Thus, the performance of the triggering PDC QKD is very limited. 

Since the decoy state idea can substantially enhance the performance of the coherent 
state QKD, a natural question will be: "Can the decoy state idea be applied to the 
triggering PDC QKD?" The answer is yes. One can apply the infinite decoy state idea 
[65] . as discussed in Section to the triggering PDC QKD. Not surprisingly, with decoy 
states, the key generation rate can be 0(r]), which is the same as the order achieved by 
a single-photon source. Therefore, we expect that the decoy state QKD will become a 
standard technique not only in the coherent state QKD, but also in QKD with triggering 



1 See Section [721 for the definition of a trigger. 
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PDC sources. Recently, a few practical decoy proposals for triggering PDC requiring 
a finite number of decoy states have been proposed [HH [21 11221 H21] . Note that an 
experimental demonstration of the decoy state QKD with a triggering PDC source was 
implemented recently [120] . 

We are interested in comparing various protocols for the triggering PDC QKD. Among 
the practical decoy protocols for triggering PDC QKD, we find that the one proposed by 
Adachi, Yamamoto, Koashi and Imoto (AYKI) [2] is simple to implement. The AYKI 
protocol is conceptually similar to the one-decoy state scheme [77], as discussed in Section 
15.1.21 In the AYKI protocol, Alice and Bob only need to consider the statistics of triggered 
and non-triggered detection events % separately, instead of preparing new signals for the 
decoy states. We emphasize that the AYKI protocol is easy to implement since there is 
no need for a hardware change. 

Other decoy state proposals for the triggering PDC QKD require hardware modifica- 
tions. For example, the one proposed by Mauerer and Silberhorn [82] requires photon- 
number resolving detectors, and the one proposed by Wang, Wang and Guo |122j requires 
Alice to pump the laser source at various intensities. 

The following is a generalization of the passive decoy state idea proposed by Mauerer 
and Silberhorn [82J. The main idea is that Bob can group his detection events in accor- 
dance to the public announcement of Alice's detection events. For example, when Alice 
uses a threshold detector, Bob can group his detection results in accordance to whether 
Alice gets a detection or not. The generalized passive decoy state idea can be applied 
to both cases that use threshold detectors and photon-number resolving detectors. The 
AYKI protocol can be treated as a special case of the generalized passive decoy state 
protocol. 

By simulating a recent PDC experiment [115] , we compare one case with a perfect 
photon-number resolving detector and four cases with threshold detectors: no decoy, 
infinite decoy, weak decoy and AYKI. Our simulation result shows that in a large regime 
(for instance, the optical link loss between dB and 25 dB), the performance of AYKI 
protocol is close to that of the infinite decoy protocol and thus, there is not much room 
left for improvement after the AYKI protocol has been implemented. Moreover, the QKD 
performance of the case with the infinite decoy protocol using threshold detectors is close 
to the case using a perfect photon-number resolving detector. Thus, a photon-number 
resolving detector does not appear to be useful for triggering PDC QKD. 



2 In a non-triggered detection event, Bob gets a detection, but Alice does not get a trigger. 
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We emphasize that an advantage of the passive decoy state method is that by passively 
choosing decoy and signal states, the possibility that Eve can distinguish decoy and signal 
states is reduced. On the other hand, in active (regular) decoy state experiments, it is 
more difficult to verify the assumption that Eve cannot distinguish decoy and signal 
states. 

Note that the passive decoy state idea can be combined with the active decoy state 
idea. In Ref. [121j . the authors provide a special case where passive and active decoy 
state ideas are combined. Again, we emphasize that for the coherent state QKD, one can 
only use active decoy state methods. 

Although our analysis is focussed on a QKD with a triggered PDC source, we em- 
phasize that it can also be applied to QKD setups with other triggered single photon 
sources. 

In Section 17.21 we will review the experiment setup of the triggering PDC QKD. In 
Section 17.31 we provide a model for the triggering PDC QKD. In Section 17.41 we will 
study various post-processing schemes for the triggering PDC QKD. In Section l?T5| we 
will compare various schemes of the triggering PDC QKD: non-decoy+threshold detec- 
tors, infinite decoy+threshold detectors, AYKI and a case with a perfect photon-number 
resolving detector, by simulating a real PDC experiment. 



7.2 Experiment setup 

In triggering PDC QKD, a PDC source is used as a triggered single photon sourcdB The 
schematic diagram is shown in Figure 17.11 

As shown in Figure I7TTT a PDC source generates two modes of photons, which can be 
separated by a polarization beam splitter (PBS). One mode goes to Alice's own detector 
(DA in Figure 17.11) as the triggering signal and the other mode is used as a triggered 
single photon state for the QKD. When Alice's detector (DA) clicks, we call it a trigger. 
We divide the detection events on Bob's side into two groups depending on whether Alice 
gets a trigger or not: triggering detection events and non-triggering detection events. 

Note that Alice can use either a threshold detector or a photon-number resolving 
detector (DA in Figure 17.11) . She only needs to know the number of photons in the 
trigger mode. Therefore, only one detector is sufficient on Alice's side. Due to the high 
channel losses, without Eve's interference, Bob is highly likely to receive a vacuum or 



3 Sometimes it is called heralded single photon source. 
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Channel 




Figure 7.1: A schematic diagram for the triggering PDC QKD. Alice collects photon pairs 
emitted from a PDC source and uses a polarization beam splitter (PBS) to separate two 
polarization modes. She detects one of the two modes with her detector (DA) as a trigger, 
modulates the polarization of the other mode by a polarization controller (PC) and sends 
it to Bob. On Bob's side, he chooses his basis by a PC and performs a measurement by 
his detectors (DB and DB^. 



single photon state. Thus it is sufficient for Bob to use threshold detectors. Threshold 
single photon detectors can only tell whether there is a click or not, but not the photon 
numbers. Bob needs to identify polarizations of incoming photons. Here, we assume 
Alice encodes qubit information in photon polarizations. 

In real experiments, there are two types of PDC sources, both of which can be used 
in a triggering PDC QKD setup. Here, we assume Alice uses a type-II PDC source. The 
Hamiltonian of the type-II PDC process in the triggering setup shown in Figure I7TT1 can 
be written as [119] : 

H = i X aW + h.c. (7.1) 

where h.c. means Hermitian conjugate and \ is a coupling constant which depends on 
the crystal nonlinearity and the amplitude of the pump beam. The operators a\ W and 
a, b are the creation and annihilation operators of two modes with different polarizations. 

The state coming from a triggering PDC source, with a Hamiltonian of Eq. (17. ip . can 
be written as [119] : 

oo 

= (cosh^T 1 ^(tanhx) n |n,n). (7.2) 

n=0 

Here, we assume that the state is single-mode. The expected photon pair number is given 
by /i = sinh 2 \- The probability to get an n-photon-pair is: 



P(n) 



(7.3) 



(l + /i) n+1 ' 

Here, we assume that the PDC source always sends out photon pairs. That is, the photon 
number of mode a and b is always the same. 
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There is a nonzero probability for the PDC source to emit more than one photon pair 
in a pulse. Thus, Alice may send out multi photon states after she encodes basis and key 
information by her polarization controller (PC). This is the reason why the triggering 
PDC QKD suffers from PNS attacks. Later in the next chapter, we will show that when 
Alice uses the PDC source as an entangled photon source to implement an entanglement 
based QKD, it will be immune from PNS attacks. 

Let us compare triggering PDC QKD and entanglement PDC QKD implementations. 
For the setup of entanglement PDC QKD, one can refer to Section In the triggering 
PDC QKD, Alice actively encodes the key information, while in the entanglement PDC 
QKD, Alice measures the polarization of one mode of PDC source directly. The advantage 
of the triggering PDC QKD here is that it does not rely on the polarization correlations 
between two modes of the PDC source. It only requires the photon-pair generation of 
the source, which means entanglement between photon pairs are not important for the 
triggering PDC QKD. However, in an entanglement PDC QKD implementation, the 
entanglement between two modes has to be well maintained for QKD transmission. We 
notice that maintaining entanglement in real experiments is a highly non-trivial task@. 



7.3 Model 

Liitkenhaus studied the model of triggering PDC QKD [70] with threshold detectors. 
His model is similar to the one of the coherent state QKD, except for a different photon 
number distribution. 

The channel model of triggering PDC QKD is exactly the same as the coherent state 
QKD. Thus, one can use Eqs. (13. 6p and (13.91) . 

7.3.1 On Alice's side 

In the triggering PDC QKD, Alice may use either a threshold detector or a photon- 
number resolving detector. A N-photon-resolving detector is defined to be a detector 
that can tell 0, 1, ■ • • , N photons of an incoming signal. For a threshold detector, we 
have N = 1, which can only tell the presence of photons, but not the photon numbers. 
Given an incoming z-photon state, the probability for Alice's detector to indicate a j- 
photon state is r/j^, with Y^j=o = 1 for all z = 0, 1, • ■ • . In general, ?7j|jS are real 



4 A. M. Steinberg, private communication. 
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numbers in [0,1]. We define a j-photon trigger for a case where Alice's detector indicates 
a j-photon state. 

For a triggered PDC photon source, as given in Eq. (17. 2p . the probability for Alice's 
detector to indicate a j-photon detection is: 



P 



EtTT^K- (7-4) 



Aj 



With the assumption that the PDC source always emits photon pairs, the probability 
(gain) for Alice getting a j-photon detection and Bob getting a detection is: 



(7-5) 



oo 



i=0 



where the yield is given in Eq. (13.61) . The quantum bit error rate (QBER) conditioned 
on Alice's j-photon detection, similar to Eq. (17.51) . is given by: 



E^jQ^j — 2^ Qi,j e 

i=0 

oo 

4^ (i + /i) t+1 Jl 







i=0 



where the error rate e, is given in Eq. (13. 9p . 

It is observed that in the triggering PDC QKD setup, shown in Figure 17.11 the 
quantities Yj and are independent of Alice's measurement outcome j. This is based on 
the single-mode PDC source assumption described in Eq. (17. ip in Section 17721 Therefore, 
in Section 17.41 we can apply the decoy state idea. 



7.3.2 Threshold detector 

Here, we will discuss a special case where Alice uses a threshold detector. That is, 

■n Q \ i = {l-Y QA ){l-r lA ) i 

- (i-vaY 

Vi\i = 1 - Vo\i 

W = 0> Vj > 2, 
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where Y 0A and 7] A are the background count rate and the detector efficiency on Alice's 
side. The approximation is due to the fact that normally, we have 7] A ^> Y 0A . That is, 
we neglect the background contributions on Alice's side. 

According to Eqs. (17.51) and (17. 6p . without Eve's interference, the gains and QBER's 
of triggered (j = 1) and non-triggered (j = 0) detections are given by: 

n 1 l-Y 0B 



1 + riA/j, l + (r] A + rj- r) A rj)n 
r\ _ i 1 1 ~~ Y 0B i 1 — Yq B 



EfifiQ^fi — edQfi\o + 
E^iQ^i = e d Q^\i + 



1 + rjApL 1 + rj/j, l + (rj A + r]- ri A rj)n 
(e - e d )Y 0B 



(7.8) 



1 + VAU 

[e - e d )r] A fiY 0B 
1 + 



Without Eve's interference, the gains and error rates of the single photon state in two 
detections are given by: 

_ n(l-y A ) Y 

Ql '° - "WW 1 

^ = (IT^ (7 - 9) 

e-\Y\ = e d Y\ + (e - e d )Y 0B 
where Y 1 and t\ are given in Eqs. (13. 6p and (13.91) . respectively. 



7.3.3 Perfect photon-number resolving detector 

Here, we will discuss the case where Alice uses a perfect photon-number resolving de- 
tector, which can faithfully tell the number of photons in the incoming signal. That is, 
r)j\i = 5ij. Thus, from Eqs. (17. 5p and (I7.6p . the gains and QBERs are given by: 

Qn,i = Qi,i = 7Z ..\i+l Y i 

1 + » (7.10) 

Efx^Qfx^i &iQi,i n~-j- yU,)* - * -1 

from where one can directly infer the gains and error rates of the z-photon state, Qij = 
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7.4 Post-processing 

Here, we will apply the standard GLLP analysis, as shown in Eq. (12.61) . All the classical 
data measured can be grouped according to Alice's detection events, j = 0, 1, • • • , N. 
Subsequently, we can apply the GLLP idea [35j HI] to each group. The final key genera- 
tion rate will be given by summing over contributions from all groups: 

N 
3=0 

In each case j, one can apply Eq. fl7.19l) : 

Rj > <l{ /(/•-,,, /•-,,) + Qij[l ~ # 2 (ei)]}, (7.12) 

where Qoj and Q±j are the first and second terms on the right hand side of Eq. (17. 5p . 
Here, the error rate of the single photon state e\ is independent of j, see the observation 
in the end of Section 17.3.11 Note that the key generation rate from all j'-photon trigger 
detections should be non-negative. If any of them contributes a negative key generation 
rate, we should assign to it. In this case, Alice and Bob can just discard that type 
of detection. Based on this observation, we can further simplify Eq. (17.111) . Given that 
Alice detects more than one photon, the probability of emitting a single photon state 
in Bob's arm is As we mentioned in the beginning of this section, only a single 

photon state can contribute positively to the final key rate. Thus we can focus on the 
case j = 0, 1. 

R = R + Rt, (7.13) 

where Rq and Ri are given in Eq. (I7.12p . Again, both Rq and Ri should be non-negative, 
otherwise they should be assigned 0. 

In Eq. ( 17.121) . the gain Q^j and the QBER E^j, given in Eqs. (17.51) and (17. 6p . can 
be measured or tested from QKD experiments directly. In this section, we will discuss 
various ways to estimate Qo.j, Qi,j, and e\. We assume that the PDC photon source and 
detector characteristics are fixed and known to Alice. That is, /i, the photon number 
distribution in Eq. (17.31) and rjA are fixed and known. 

5 In Section 17721 we assume that Alice's PDC source always sends out photon pairs. Given that Alice 
detects more than one photon on the triggering arm, a single photon state is present on the other arm 
only when there is a dark count in Alice's detector. Normally, we can assume that the detector efficiency 
is much higher than the dark count probability on Alice's side. Thus, we neglect the probability of a 
single photon state with a multi photon trigger. 
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7.4.1 Non-decoy states with threshold detectors 

Here, we assume that Alice uses a threshold detector. Thus, Alice only has two mea- 
surement outcomes, j = 0, 1. A simple way to estimate Qo,j, Qi,j, and e\ is by assuming 
that all losses and errors come from the single photon states. This is because Eve can in 
principle, perform PNS attacks on the multi-photon states. The gain and error rate of 
the single photon states in triggered (j = 1) and non-triggered (j = 0) detections can be 
bounded by: 

oo ,■ 
/X 

Qi,o > Qn,o - n+^i+i 7 ^ 
n (i - ttOV 

^° (1 + W )(1 + ^ 
Qi i > Q _ Va(2- Va + ^ (7 . 14) 



ei,o > 
ei.i > 



;i + r/ A /i)(l + /i) 2 

Qi,o 



Qi,i 

where r/^ is the efficiency of Alice's detector. The gain and the QBER E^, given 
in Eqs. (17.51) and (17.61) . can be measured or tested from QKD experiments directly. In 
the following simulations, we will use Eq. (17. 8p . Since we assume all errors come from 
single photon states, one should take the lower bound of the vacuum contribution to be 

Qoj = o. 



7.4.2 Infinite active decoy state with threshold detectors 

To perform a privacy amplification process, Alice and Bob need to bound Qoj, Qi,j, and 
ei for Eq. (I7.12p . From Eq. (17.51) . we know that to bound Qqj and Qij, Alice and Bob 
need to estimate Y\. 

The decoy state method provides a good way to estimate Y\ and e\ [101 [65] . The 
essential idea is that instead of considering each linear equation of Y\ and e\ in the 
form of Eqs. (17. 5p and (17.61) separately, Alice and Bob consider all the linear equations 
simultaneously. 

Let us imagine that Alice and Bob obtain an infinite number of linear equations in the 
form of Eqs. (17. 5p and (17.61) . e.g., they use an infinite number of intensities /i. In principle, 
Alice and Bob can solve the equations to get Y\ and e\ accurately. Mathematically, the 
problem is solvable. The intuition is that the contributions from higher order terms of Y^ 



Chapter 7. Triggering PDC QKD 



81 



and Ci decrease exponentially in Eqs. (17.51) and (17.61) . For the case coherent state QKD, 
one or two decoy states are proven to be sufficient [77]. Shortly, we will see that one 
decoy state is sufficient for triggering PDC QKD. 

The key underlying assumption of the decoy state method is shown in Eq. (14. 2p . In 
other words, Eve sets the same values of Yi and for the decoy and signal states. This 
can be guaranteed by the assumption that Eve cannot distinguish decoy and signal states. 

In Appendix IB.2[ we will show that the optimal /i for the infinite decoy state case 
is in the order of 1, fi = 0(1), which yields final a key rate R = 0(r]). On the other 
hand, the optimal [i for the non-decoy case is fi = 0(rj), which yields a final key rate 
R = 0(rj 2 ). Therefore, we expect the decoy state QKD to become a standard technique 
not only in the coherent state QKD, but also in QKD with triggering PDC sources. 

There are various ways to apply the decoy state idea to the triggering PDC QKD [821 
[21 1122] . Here, we consider the upper bound (infinite decoy state case) of all possible decoy 
protocols of triggering PDC QKD with threshold detectors: triggering PDC+infinite 
decoy method [65]. In the infinite decoy state method, Alice and Bob perform an infinite 
number of decoy states by choosing different intensities of the PDC source, /i. They 
can then solve the linear equations in the form of Eqs. (17. 5p and (17. 6p to estimate Yi 
and ei accurately. Hence, they can calculate each Qoj, Qi,j, and t\ accurately. In the 
simulation, we will use Eqs. (17. 8p and (17.91) directly. 



7.4.3 Weak active decoy state with threshold detectors 

Here, we assume that Alice and Bob use threshold detectors and focus on triggered 
detection events. Alice uses another intensity z/, for instance, by attenuating the pumping 
laser, for the weak decoy state. Wang, Wang and Guo proposed a practical decoy method 
for triggering PDC QKD [ 122 ], which is essentially applying the Vacuum+Weak decoy 
state method [77] described in Section 15.1.11 Note that for triggered detection events, 
the vacuum contribution can be negligible since i]a 3> Yqa- Thus there is no need to 
estimate the vacuum contribution here. Therefore, Alice and Bob only need to perform 
a weak decoy state instead of the Vacuum+Weak decoy states. In this case, only one 
weak decoy state is sufficient. 

Bounds of Yi and ei are given by /i 2 (l + u) 3 x Q u<1 — u 2 {l + /i) 3 x in Eqs. (17.51) 
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and CHI): 

( /(i + ^)Un-- 

T) A {fJ> -V) V {J, 



y 1 > z - - [^(i + !/) 3 Q H1 - -(i + /i) 3 g H1 ] 



^ . (l + ^^g^ (l + ^^ig,,!, (7 ' 15) 

d < mm{ " , 7^} 

/i 77^*1 ^ f7A*l 

where ^ is the expected photon pair number of the weak decoy state and t)a is the 

efficiency of Alice's threshold detector. 

It is not difficult to show that when v — > 0, Eq. (17.151) approaches the infinite case, 

Eqs. ( 17. 8p and (17. 9p . described in the previous subsection. 



7.4.4 Passive decoy state 

Recently, Mauerer and Silberhorn proposed a passive decoy state scheme, in which 
photon-number resolving detectors are required [82J. Let us recap the heuristic idea 
of the original passive decoy state scheme briefly here. As discussed in Section [7731 Alice 
and Bob eventually get different detection events grouped by triggers on Alice's side. The 
key idea proposed by Mauerer and Silberhorn is that Alice and Bob manually combine 
the {j}-trigger detection events to get the decoy states with different photon number 
statistics and then follow the regular decoy state scheme. 

Here, we want to point out that the "combination" step is unnecessary. In general, 
each detection event group with a j-trigger has a different photon number statistic on the 
photon source arm. Thus, Alice and Bob need to treat all {j}-trigger detection events 
statistics separately. Furthermore, photon-number resolving detectors are not necessary 
in passive decoy state schemes. Our new generalized passive decoy state scheme is as 
follows. 

1. Alice uses a PDC source as her triggered photon source. She detects one of the 
modes from her PDC source as the trigger and encodes key information into another 
mode. Due to the detector Alice uses, she will get different trigger events: j = 
0, 1, ■ ■ • . When she uses a threshold detector, she will only get j = 0, 1. 

2. As the usual BB84 protocol, Bob measures signals in two different bases. Alice and 
Bob perform basis reconciliation. 

3. Alice announces her trigger detection results for each pulse: j. Bob groups his 
detection events by the information j. For each j, they calculate the gain Q^j and 
test the QBER E^. 
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Mathematically, they will obtain a set of linear equations in the form of Eqs. (17.51) 
and (17.61) . Notice that the setup parameters, fi and known to Alice and 

Bob. Thus, they can estimate Yx and e\ by considering Eqs. (17. 5p and (17.61) . 

4. The post-processing is applied accordance to Eq. (I7.13p . 

Note that the scheme is called passive because Alice does not actively select decoy 
states. Instead, she determines the decoy states by measuring the trigger mode. Later, 
we will show that this is one advantage of using the triggering PDC source for QKD. 
Actually, in this case, there are no strict definitions of decoy states and signal states. 
In the original decoy state method [77], decoy states are only used to estimate Y\ and 
e\ and the key is always generated from signal statesj. In a triggering PDC QKD case, 
both the triggered j = and non-triggered j = 1 detection events may have positive 
contributions to the final key generation. 



7.4.5 Passive decoy state with threshold detectors 

Here, we will review the decoy protocol proposed by Adachi, Yamamoto, Koashi and 
Imoto [2] as a special case of the passive decoy state protocol. The AYKI protocol is 
interesting in practice since it does not involve any hardware change to implement the 
decoy state idea. 

Both Alice and Bob use threshold detectors, thus they have two types of detection 
events, triggered (j = 1) and non-triggered (j = 0). Secure keys can be generated from 
both types of detection events. Following the passive decoy state method procedure de- 
scribed in the previous subsection, Alice and Bob can estimate Yx and ex by considering 
the statistics of triggered and non-triggered detection events together. This is conceptu- 
ally similar to the one decoy state idea [77] described in Section 15.1.21 

By solving two linear equations of Eq. (17.51) with j = 0, 1, [1 — (1 — r] A ) 2 } x Q^ — 
(1 - 7] A ) 2 x Q^x, one can get: 

Yx > Y? = S-t^![i^l(g ft0 - Q ,o) - l -^Q»A (7.16) 
A* 1 - Va Va 

where Qo,o is the vacuum state contribution in non-triggered detection events. One needs 

to minimize the key rate of Eq. (17.131) for Qo,o with the constraint of Eq. (I7.6p . Note that 

this result is essentially Eq. (14) given in Ref. [2j. We can see that when tja is close to 



6 In the coherent state QKD, there is an optimal /i for a setup. To maximize the final key rate, Alice 
and Bob should publicly compare all detection results from decoy states. 
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1 or n is small, after neglecting Q^ (background counts), the lower bound Y X L is tight 
(approaches the real value of Yi, see Eq. (13.61) ): 

lim Y X L = limF^ = rj. (7.17) 

By neglecting the vacuum state contribution for triggered detection events, Qo,i = 0, 
e\ can be simply estimated by: 

e x < (7.18) 

VI, 1 

To get the lower bound of Y\ in Eq. (17.161) . one has to estimate the background 
contribution Q ,o as well. A simple bound of Qo,o is < Qo,oeo < E^qQ^q from Eq. ( 17. 6ft . 
where eo = 1/2. 

Note that the key rate calculated by substituting Eqs. (I7.16P and (I7.18P into Eq. (17.131) 
is not optimal. To get a tighter key rate bound, one can numerically calculate the lower 
bound of Eq. (17. 131) directly, given the measurement results, Eq. ( 17. 9ft . 

7.4.6 With a perfect photon-number resolving detector 

Here, we discuss a special case where Alice uses a perfect photon-number resolving de- 
tector, discussed in Section 17.3.31 Now that Alice knows the exact photon number of 
the source, Alice and Bob only need to focus the post-processing on single photon state 
detection events. In this case, the BB84 protocol is implemented by single photon states 
only. Thus, they can directly apply Shor and Preskill's formula [106[ [75]: 

R > qQi[l - /(ei)ff 2 (ei) - H 2 (e{)]. (7.19) 

Later from the simulation that is shown in Figure 17.21 we can see that a perfect photon- 
number resolving detector does not improve the QKD performance dramatically in com- 
parison to the threshold detector case. 

7.4.7 A few remarks 

From the analysis of optimal \i in Appendix IB.2| one can see that the key rate for a 
case without decoy states quadratically depends on the channel loss, R = 0(rj 2 ), while 
for the case with decoy states, R = 0(rj). This result is consistent with prior work that 
compared the cases of a coherent state QKD with and without decoy states [65] . 

In the decoy state security proof [65], the key assumption is that the decoy state and 
signal state should satisfy Eq. (14. 2p . This is guaranteed by the assumption that Eve 
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cannot distinguish decoy and signal states. However, in the active decoy state method, 
Alice may introduce side information that can distinguish decoy and signal states when 
she actively prepares decoy and signal states. For example, an attenuator on Alice's side, 
used to prepare different intensities for signal and decoy states, may introduce different 
frequency shifts for signal and decoy states |131j . In general, it is difficult to verify the 
assumption that Eve cannot distinguish decoy and signal states in real active decoy state 
experiments. 

In the passive decoy state scheme, decoy and signal states are passively determined 
by Alice's measurement outcome. Alice does not use an extra component (such as in the 
active decoy state method) to prepare decoy states. This reduces the possibility of side 
information leakage. By passively choosing decoy states, Alice prepares same states on 
Bob's arn0. In fact, Alice can measure trigger signals after Bob finishes his measurements. 
Thus, from Eve's point of view, the states transmitted through the channel is independent 
of Alice's measurement results (j). Therefore, in principle, Eve cannot distinguish the 
decoy and signal states in the passive decoy state QKD. 

This is the main advantage in using the passive decoy state methods. Note that for 
a coherent state QKD, one can only use the active decoy state idea. 



7.5 Simulation 

In this section, we will compare the passive decoy state with a perfect number resolving 
detector and four QKD implementations with threshold detectors: non-decoy, infinite 
decoy, weak active decoy and AYKI (passive decoy state). 

We deduce experimental parameters from a recent PDC experiment [115j . which are 
listed in Table 17711 In the following simulations, we will use q = 1/2 and f{E^) = 1.22 
in Eq. (I7.12p . We notice that with the slightly modified experiment setup, a coherent 
state QKD with decoy states is implemented |115j . Thus, it is reasonable to use this 
experiment setup to simulate the five QKD implementations. 

In the simulation, for fair comparison, we always assume Bob uses the same detection 
setup (with threshold detectors). 



7 Strictly speaking, there is one underlying assumption: the PDC source is single-mode. 
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Repetition rate 


Wavelength 


VAlice 


VBob 


e<* 


Y 0B 


249MHz 


710 nm 


14.5% 


14.5% 


1.5% 


6.024 x 10~ 6 



Table 7.1: List of parameters from the 144 km PDC experiment |115j . Here, VAUce and 
rjsob are the detection efficiencies in Alice and Bob's detection system, not including the 
optical channel loss, is the intrinsic detector error rate. Vqb is the background count 
rate of Bob's detection system (for example, if Bob has two detectors, then Yqb will be 
the sum of the background count rates of the two detectors). The transmission efficiency 
7] in Eq. (I3.6P is given by rjBob plus the channel loss. Since Alice owns the PDC source, 

VA = V Alice- 

7.5.1 Without statistical fluctuations 

In the first simulation, we will consider a case where Alice and Bob perform an infinitely 
long QKD (no statistical fluctuations). In this case, the weak active decoy state protocol 
will approach the infinite decoy case, similar to the discussion in Section 15.1.11 We 
assume that Alice is able to adjust fi (the brightness of the PDC source) in the regime 
of [0, 1] arbitrarily. In the simulation, we numerically optimize fi for each of the four 
implementation protocols: non-decoy, infinite decoy, AYKI and a case with a perfect 
number resolving detector. The simulation result is shown in Figure 1772^ . 
From Figure 17.21 we have the following remarks. 

1. In Appendix \B.2\ instead of numerically optimizing /i as the case was for Fig- 
ure (17. 2p . we qualitatively investigate the optimal /i for triggering PDC QKD with 
and without decoy states. The simulation result is consistent with the qualitative 
conclusion R = 0(v) for the case with with decoy states and R = 0(v 2 ) for the 
case without decoy states. 

2. The space between the solid and dashed line in Figure I7T21 indicates room left for 
improvement by other decoy protocols with threshold detectors after the AYKI 
protocol is implemented. We can see that, in a large regime of the optical link loss 
(for instance, between dB and 25 dB), the performances of AYKI and the infinite 
decoy are close. For instance, the AYKI protocol yields around 50% of the key rate 
of the infinite decoy state protocol when the channel loss is within 20 dB. 

8 Here we simulate a free space QKD setup [115j . Since in a free space QKD system, the channel 
transmittance will depend on not only the distance but also other components, such as the size of the 
telescope, it is more appropriate to use the optical loss rather than the distance for x-axis of Figure 17.21 
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Figure 7.2: Plot of the key generation rate in terms of the optical loss, comparing four 
schemes without considering statistical fluctuations: non-decoy, infinite decoy, AYKI 
and a case with a perfect number resolving detector. Here, we use q = 1/2 and f{E^) = 
1.22. We numerically optimize \i for each curve, see Appendix IB. 21 for more discussions. 
Simulation parameters are listed in Table 17.11 



3. By comparing AYKI and a case with a perfect photon- number resolving detector, 
we can see that even with a perfect photon-number resolving detector on Alice's 
side, the key rate has not improved dramatically in a large regime of the optical 
link loss. 

4. The non-decoy protocol is better than the AYKI in the regime close to maximal 
secure distances. This is because we use the bounds of Eqs. (IT. 1 6[) and (I7.18P for 
the AYKI curve. In reality, Alice and Bob can use the bound of Eq. (17.141) directly 
in this regime. 

5. There is a bump in each curve. This is due to the fact that in the key generation 
rate formula Eq. (I7.13p . the non-triggered detection events have no contribution to 
the final secure key after the bump. 



6. 



At the point of loss=0 dB, the key rates of four cases (from top to bottom) are 
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1.21 x 1(T 2 , 8.6 x 10" 3 , 4.2 x 1(T 3 and 1.3 x 1(T 3 . 

7. At the point of loss=0 dB, the numerical results for optimal \i for four cases (from 
top to bottom) are: 1, 0.52, 0.194, 0.0589. The optimal /i for the case with a perfect 
threshold detector is always 1 , which is reasonable since /i = \ maximizes the single 
photon state probability. In Appendix IB. 21 we show that the optimal /is for the 
infinite decoy and AYKI case are relatively stable in a large regime of the optical 
link loss (for instance, between dB and 25 dB). The optimal /i for the no decoy 
state case decreases with channel loss. 

8. Note that the real /i used in the experiment [115] is /i — 0.0265. In general, it is 
experimentally difficult to increase the brightness (/i) of a PDC source. 

9. All of the four cases can tolerate similar optical losses. 
7.5.2 With statistical fluctuations 

In a real experiment, the key length is always finite. Alice and Bob should consider 
statistical fluctuations. As pointed out in Section I5T2"} the statistical fluctuation analysis 
is a complicated problem in the decoy state QKD scheme. 

Similar to the analysis in Section 15.21 we assume a few conditions: 

1. Alice knows the exact value of the average photon pair number /i, which is a fixed 
number during key transmission. 

2. The distribution of the photon number, Eq. (17.31) . does not fluctuate. 

3. The QKD transmission is assumed to be part of an infinite length experiment. 

Here, we focus on three cases with threshold detectors: infinite decoy, weak decoy 
and AYKI. We assume that the data size is 6 x 10 9 pulses of Alice's pumping laser. 
The simulation result is shown in Figure 18 .51 From the simulation result, we have the 
following observations. 

1. Similar to a case without the fluctuation analysis, in a large regime of the optical 
link loss, the performances of AYKI and the infinite decoy are close. 



2. At the point of loss=0 dB, the key rates of the three cases from top to bottom are 
8.6 x 10~ 3 (infinite), 5.0 x 10~ 3 (weak) and 4.7 x 10~ 3 (AYKI). 
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Figure 7.3: Plot of the key generation rate in terms of the optical loss, comparing three 
cases with threshold detectors after considering statistical fluctuations: infinite decoy, 
weak active decoy and AYKI. We numerically optimize \i for each curve. Here, we use 
q — 1/2 and f{E fJ ) = 1.22. In the weak decoy state case, we assume Alice can randomly 
attenuate her PDC source intensity. Simulation parameters are listed in Table 17.11 The 
data size is 6 x 10 9 pumping laser pulses on Alice's side. 

3. The maximal tolerable secure optical losses for the three cases are rather similar: 
37 dB (infinite), 32.5 dB (AYKI), 32 dB (weak). 

4. The AYKI protocol yields a higher key rate than the weak decoy state protocol 
when the loss is greater than 16 dB. AYKI is less affected by statistical fluctuations 
than the weak decoy state because in AYKI, Alice does not need to sacrifice extra 
pulses for decoy states. 



In Section 17.4.71 we pointed out that from a practical security point of view, the 
passive decoy state method has an advantage over active decoy state methods. Moreover, 
the AYKI method does not require any additional hardware changes to implement the 
decoy state, while in the weak decoy state case, Alice needs to add an attenuator to 
create decoy states. Now, from the simulation result, we can see that the AYKI and 
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weak active decoy state method yield a similar QKD performance. Thus, our conclusion 
is that one should just use the AYKI method instead of the weak decoy state method. 

7.6 Conclusion 

By investigating the optimal photon source intensity, we find that the triggering PDC 
QKD setup with decoy states is able to achieve a key rate that linearly depends on the 
channel transmittance, in comparison to the quadratic dependence for the case without 
decoy states. Therefore, we expect the decoy state QKD to become a standard technique 
not only in the coherent state QKD, but also in QKD with triggering PDC sources. 

On the practical side, we generalize the passive decoy state idea. The generalized 
passive decoy state idea can be applied to cases where either threshold detectors or 
photon number resolving detectors are used. The decoy protocol proposed by Adachi, 
Yamamoto, Koashi and Imoto (AYKI) can be treated as a special case of the generalized 
passive decoy state method. In comparison to the active (regular) decoy state methods, 
the passive one opens less possibility for Eve to distinguish decoy and signal states, which 
is a key underlying assumption in the security proof of the decoy state QKD scheme. 
From this sense, the passive decoy state method is more secure than the active decoy 
state methods in practice. 

By simulating a recent PDC experiment, we compared various practical decoy state 
protocols with the infinite decoy protocol. We also compared cases using threshold de- 
tectors and photon-number resolving detectors. Our simulation result shows that with 
the AYKI protocol, one can achieve a key generation rate that is close to the theoreti- 
cal limit of infinite decoy protocol. Furthermore, our simulation result suggests that a 
photon-number resolving detector has little room to improve the QKD performance, in 
comparison to the case using threshold detectors. 

We also considered the statistical fluctuations. We compared infinite decoy protocol, 
weak active decoy state method and AYKI protocol. The simulation result shows that the 
weak active decoy state method and AYKI protocol yield a very close QKD performance. 
In a large regime of the optical link loss, the AYKI protocol can achieve a performance 
that is close to the infinite decoy case. Since the AYKI protocol requires no hardware 
changes for triggering PDC QKD, we conclude that AYKI method is a good protocol for 
triggering PDC QKD experiments. 

Although our analysis is focused on QKD with PDC sources, we emphasize that it 
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Chapter 8 

Entanglement-based QKD 



A parametric down-conversion (PDC) source can be used as either a triggered single 
photon source or an entangled photon source in QKD. The triggering PDC QKD was 
already studied in the previous chapter. However, a model and a post-processing protocol 
for the entanglement PDC QKD are still missing. Here, we fill in this important gap 
by proposing such a model and a post-processing protocol for the entanglement PDC 
QKD. Although the PDC model is proposed for studying the entanglement-based QKD, 
we emphasize that our generic model may also be useful for other non-QKD experiments 
involving a PDC source. Since an entangled PDC source is a basis independent source, we 
apply Koashi-Preskill's security analysis to the entanglement PDC QKD. We will also 
investigate the entanglement PDC QKD with two-way classical communication. Our 
results indicate that the recurrence scheme increases the key rate and Gottesman-Lo 
protocol helps tolerate higher channel losses. By simulating a recent 144 km open-air 
PDC experiment, we will compare three implementations: entanglement PDC QKD, 
triggering PDC QKD and coherent state QKD. The simulation result suggests that the 
entanglement PDC QKD can tolerate higher channel losses than the coherent state QKD. 
The coherent state QKD with decoy states is able to achieve the highest key rate in 
the low and medium-loss regions. By applying Gottesman-Lo two-way post-processing 
protocol, the entanglement PDC QKD can tolerate up to 70 dB of combined channel 
losses (35 dB for each channel) provided that the PDC source is placed in between Alice 
and Bob. After considering statistical fluctuations, the PDC setup can tolerate up to a 
53 dB channel loss. 

This work is published in Ref. [75]. In this work, I build an entangled PDC source 
model, apply Koashi-Preskill's security analysis and simulate a PDC experiment to show 
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the performance of the entanglement-based QKD in comparison with the triggering PDC 
QKD and coherent state QKD. 

8.1 Introduction 

As we discussed in Chapter [21 there are mainly two types of QKD schemes. One is the 
prepare-and-measure scheme, such as BB84 [IT] and the other is the entanglement based 
QKD, such as Ekert91 [23] and BBM92 [12]. 

With a PDC source, one can realize either prepare-and-measure or entanglement- 
based QKD protocols [H] . To implement a prepare-and-measure QKD protocol, one can 
use a PDC source as a triggered single photon source. On the other hand, to implement an 
entanglement-based QKD protocol, one can use the polarization entanglement between 
two modes of light emitted from a PDC source. We call these two implementations the 
triggering PDC QKD and entanglement PDC QKD. With an entangled source, one can 
also implement QKD protocols based on causality [81] and Bell's inequality [1]. We notice 
that the PDC QKD based on the time-energy entanglement has been exploited |112j . 

Here, we present a model for the entanglement PDC QKD. From the model, we find 
that an entangled PDC source is a basis independent source for QKD. Based on this 
observation, we propose a post-processing scheme by applying Koashi-Preskill's security 
analysis [54] . 

Recently, a free-space distribution of entangled photons over 144 km was demon- 
strated [115] . We will simulate this experiment setup and compare three QKD imple- 
mentations: entanglement PDC QKD, triggering PDC QKD and coherent state QKD. In 
the simulation, we will also apply Gottesman-Lo two-way post-processing protocol [31] 




and a recurrence scheme [118j . see also [74] . 

The main contributions of this chapter are as follows. 

• We present a model for the entanglement PDC QKD. Although the model is pro- 
posed to study the entanglement-based QKD, this generic model may also be useful 
for other non-QKD experiments involving a PDC source. 

• From the model, we find that an entangled PDC source is a basis independent 
source for QKD. Based on this observation, we propose a post-processing scheme 
for the entanglement PDC QKD. Essentially, we apply Koashi-Preskill's security 
analysis [54] . 
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• By simulating a PDC experiment |115j . we compare three QKD implementations: 
entanglement PDC QKD, triggering PDC QKD and coherent state QKD. In the 
entanglement PDC QKD, we consider two cases: the source in the middle and 
source on Alice's side. 

• In the case where the PDC source is placed in between Alice and Bob, we find 
that the entanglement PDC QKD can tolerate the highest channel losses, up to 70 
dB by applying Gottesman-Lo two-way classical communication post-processing 
protocol [M]. Note that a 35 dB channel loss is comparable to the estimated loss 
in a satellite to ground transmission in the literature [61 [951 HS1 11171 H] . 

• We consider statistical fluctuations for the entanglement PDC QKD. In this case, 
the PDC setup can tolerate up to a 53 dB channel loss. 

• The coherent state QKD with decoy states is able to achieve the highest key rate 
in the low and medium-loss regions. 

In Section IHT2| we will review two experiment setups of the entanglement PDC QKD. 
In Section 18.31 the entanglement PDC QKD will be modeled. In Appendix IA.5| we 
calculate the quantum bit error rate in the entanglement PDC QKD. In Section 1574"! a 
post-processing scheme for the entanglement PDC QKD will be proposed. In Section [H75| 
we will compare the entanglement PDC QKD, the triggering PDC QKD and the coherent 
state QKD by simulating a real PDC experiment. We also apply protocols based on two- 
way classical communication and consider statistical fluctuations. In Appendix IB.3[ the 
optimal n for the entanglement PDC QKD is investigated. 

8.2 Implementation 

In general, the entangled PDC source does not necessarily belong to one of the two 
legitimate QKD users, Alice or Bob. One can even assume that an eavesdropper, Eve, 
owns the PDC source. In this section, we will compare two experimental setups of the 
entanglement PDC QKD due to the position of the PDC source; in between Alice and 
Bob or on Alice's side. 

Let us start with a general discussion about an entangled PDC source. With the 
rotating-wave approximation, the Hamiltonian of the PDC process can be written as 

H = i X (a\ I fy-a*,b t H ) + h.c. (8.1) 
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where h.c. means Hermitian conjugate and x is a coupling constant depending on the 
crystal nonlinearity and the amplitude of the pump beam. The operators a, and hi are 
the annihilation operators for rectilinear polarizations % £ {H, V} in modes a and b 
respectively. Modes a and b are the modes sent to Alice and Bob, respectively. Notice 
that the difference between this Hamiltonian and Eq. (17. ip is that in this case, one should 
consider two freedoms: polarization (H and V) and space (a and b). 

In Section 18. 3\ we will focus on modeling the measurement of the rectilinear polar- 
ization (Z) basis. Due to symmetry, all the calculations can be applied to X basis too. 



8.2.1 Source in the middle 



First, we consider a case where the PDC source sits in between Alice and Bob. The 



schematic diagram is shown in Figure 18.11 

n 



DAi 




PBS 




PC 







DA 



Alice 



Channel 
A 




Figure 8.1: A schematic diagram for the entanglement PDC QKD. Alice and Bob connect 
to an entangled PDC source by optical links. They each receive one of two entangled 
modes coming out from the PDC source. Both Alice and Bob randomly choose basis (by 
polarization controllers) to measure the arrived signals (by single photon detectors). PC: 
polarization controller; PBS: polarization beam splitter; DA , DA 1; DB , DB^ threshold 
detectors. 

As shown in Figure IHTTj a PDC source provides two entangled modes, a and b, which 
are sent to Alice and Bob, respectively. After receiving the signals, Alice and Bob each 
randomly choose a basis (X or Z) to perform a measurement. A key observation of this 
setup is that the state emitted from the PDC source is independent of the bases Alice 
and Bob that choose for the measurements. 



8.2.2 Source on Alice's side 

Another case is where Alice owns the PDC source. The schematic diagram is shown in 
Figure E3 



Chapter 8. Entanglement-based QKD 



96 



DA, 



Alice 



PBS — PC - 



DAo 




Channel B 




Figure 8.2: A schematic diagram for the entanglement PDC QKD. Alice measures one 
of entangled modes coming out from the PDC source and sends Bob the other mode. 

In comparing Figures 18.11 and 18.21 we can see that the only difference is the position 
of the PDC source. As we will see Section 18.41 the post-processing of these two setups 
are similar. 

Note that in the second setup, Alice's measurement commutes with Bob's measure- 
ment. Thus, we have the same observation as before where the PDC source state is 
independent of the measurement bases. 

Therefore, for both setups, the entangled PDC source is a basis-independent source. 
It follows that the entanglement PDC QKD is a basis independent QKD. 

8.3 Model 

In this section, we will model an entangled PDC source, channel and detectors for the 
entanglement PDC QKD. We emphasize that this model is applicable for both experiment 
setups described in Section 18.21 

8.3.1 An entangled PDC source 

From Eq. (18.11) . the state emitted from a type-II PDC source can be written as [55] : 

oo 

= (cosh xT 2 + ltanh n x|$„), (8.2) 

n=0 

where |<&„) is the state of an n-photon-pair, given by: 

1 n 

|$ n ) = V(-l)"> - m,m) a \m, n - m) b . (8.3) 

y/n + l ^— ^ 
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For example, when n — 1, Eq. (18. 3p will give a Bell state: 

|$ 1 ) = ^(|l,0) a |0,l) 6 -|0,l) a |l,0) 6 ) 

f (8.4) 

= -y=(l <">)a| 1)6 - | |)a| <"►)&), 

Here, we use the polarizations |1,0) = | <->•) and |0, 1) = | J) as a qubit basis (Z basis) 
for QKD. From Eq. (I8.2p . the probability of getting an n-photon-pair is: 

where we define A = sinh 2 \- The expected photon pair number is /x = 2A, which is 
the average number of photon pairs generated by one pump pulse, characterizing the 
brightness of a PDC source. 



8.3.2 Detection 

Now we need to consider two channels: one for Alice and the other for Bob. We can apply 
the photon number channel model, described in Section 13.2.31 to each arm. The yield of 
an n-photon-pair Y n mainly comes from two parts, the background and the true signal. 
Assuming that the background counts are independent of the signal photon detection, 
then Y n is given by: 

Y n = [1 - (1 - Y 0A )(1 - T) A ) n ][l - (1 - Y 0B )(1 - rj B ) n ] (8.6) 

where Yqa and Yqb are the background count rates on the sides of Alice and Bob, respec- 
tively. The vacuum state contribution is Y = Y Q aY 0B . The gain of the n-photon-pair 
Q n , which is the product of Eqs. (18.51) and (18. 6p . is given by: 

Q n = Y n P(n) 

(n + lU n ( 8 - 7 ) 

= [i - a - y oa )(i - VA ) n ][i - (i - y ob )(i - VB r 



(1 + A) 



n+2 ' 



The overall gain is given by 

oo 

Q\ = 2^ Q n 
= l 



n=0 

l-Y 0A 1-Y 0B (l-Y 0A )(l-Y 0B ) 



(1 + 7] A X) 2 (1+T] B X) 2 (1 + T]A^ + VB^ ~ VAVB^) 2 
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Here, the overall gain Q\ is the probability of a coincident detection event given a pump 
pulse. Note that the parameter A is one half of the expected photon pair number \x. 
The overall quantum bit error rate (QBER, E\) is given by: 

p n _ n 2(e - e d )r] A r] B \(l + A) 

(1 + VaX)(1 + VbX)(1 + VaX + VbX-VaVbX) 1 J 

where Qa is the gain given in Eq. (18.81) . The calculation of the E\ is shown in Appendix 



8.4 Post-processing 

As mentioned in Section |872| the entanglement PDC QKD is a basis-independent QKD. 
Thus, we can apply Koashi and Preskill's security proof [51] • The key generation rate is 
given by: 

R > q{Qx[l - f(5 b )H 2 (5 b ) - H 2 (5 P )}}. (8.10) 

where the subscript A denotes for one half of the expected photon number /x, Q\ is the 
overall gain, Sj, (5 P ) is the bit (phase) error rate, f(x) is the bi-direction error correction 
efficiency 

Due to the symmetry of X and Z bases measurements, as shown in Section 18.21 5 b 
and S p are given by: 

5 b = S p = E x , (8.11) 

where E\ is the overall QBER. This equation is true for the asymptotic limit of an 
infinitely long key distribution. Later, in Section 18.5.31 we will see that Eq. (18.111) may 
not be true when statistical fluctuations are taken into account. 

Note that in Koashi and Preskill's security proof, the squash model [35] is applied. 
In the squash model, Alice and Bob project the state onto the qubit Hilbert space before 
X or Z measurements. For more details of the squash model, one can refer to [32]- In 
the case where Alice owns the PDC source, as discussed in Subsection 18.2.21 the key 
rate formula of Eq. (I8.10p has been proven [51] to be valid for the QKD with threshold 
detectors without the squash model, see also [67]. We also notice that this post-processing 
scheme, Eqs. (I8.10p and (18.111) . can be derived from the security analysis based on the 
uncertainty principle [52] . 

In Eq. (18.1 Op . Q\ can be directly measured from a QKD experiment and E\ can be 
estimated by error testing. In the simulation shown in Section 18.51 we w ih use Eqs. (18.81) 
and (lO) . 
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Note that the post-processing for the entanglement PDC QKD is simpler than the 
coherent state QKD and triggering PDC QKD. In the entanglement PDC QKD, all 
the parameters needed for the post-processing (Q\ and E\) can be directly calculated 
or tested from the measured classical data. On the other hand, in the coherent PDC 
QKD and the triggering PDC QKD, Alice and Bob need to know the value of some 
experimental parameters ahead of time, such as the expected photon number /i. They 
also need to estimate the gain and error rate of the single photon states Q± and ei, which 
make the statistical fluctuation analysis difficult [77] , as investigated in Section 15.21 

The post-processing can be further improved by introducing two-way classical com- 
munication between Alice and Bob [MJ [71] . Moreover, the adding noise technique may 
enhance the performance [5B] . 

8.5 Simulation 

In this section, we will first compare three QKD implementations: entanglement PDC 
QKD, triggering PDC QKD and coherent state QKD. Then we will apply post-processing 
protocols with two-way classical communication to the entanglement PDC QKD. Finally, 
we will consider the statistical fluctuations. 

We deduce parameters from a recent PDC experiment |115j with respect to the model 
given in Section I8~3"j which are listed in Table I7TT1 For the coherent state QKD, we use 
t]a = 1 since Alice prepares the states in this case. In the following simulations, we will 
use q = 1/2 and f(E^) = 1.22 PJ. 

The optimal expected photon number fi of the coherent state QKD is discussed in 
Ref. [TQl [77] . In Appendix IB.31 we investigate the optimal \i (2 A) for the entanglement 
PDC QKD. Not surprisingly, we find that the optimal /x for the entanglement PDC QKD 
is in the order of 1, \x = 2 A = 0(1). Thus, the key generation rate given in Eq. (18.101) 
depends linearly on the channel transmittance. 

8.5.1 Comparison of three QKD implementations 

In the first simulation, we assumed that Alice was able to adjust the expected photon 
pair number /i (2A, the brightness of the PDC source) in the region of [0,1]. Thus, 
we can optimize \x for the entanglement PDC QKD and the triggering PDC QKD. The 
simulation results are shown in Figure 18. 31 For the simulation of triggering PDC QKD 
with decoy states, one can refer to Section 17.51 
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Figure 8.3: Plot of the key generation rate in terms of the optical loss, comparing four 
cases: coherent state QKD+aysmptotic decoy, triggering PDC+asymptotic decoy, and 
entanglement PDC QKD (source in the middle and source on Alice's side). For the 
coherent state QKD+decoy, we use rjA — 1- We numerically optimize /x (2A) for each 
curve. The simulation of triggering PDC QKD with decoy states can be found in Section 



From Figure 18.31 we have the following remarks. 

1. The entanglement PDC QKD can tolerate the highest channel losses in the case 
where the source is placed in the middle between Alice and Bob. 

2. The coherent state QKD with decoy states is able to achieve the highest key rate 
in the low and medium-loss region. This is because in the coherent state QKD 
implementation, Alice does not need to detect any photons, which will effectively 
give rjA = 1 in the PDC QKD implementations. 

3. In comparing two cases of the entanglement PDC QKD with a source in the middle 
and source on Alice's side, they yield a similar key rate in the low and media- region. 
However, the source in the middle case can tolerate higher channel losses. 

In the following simulations, we will focus on the case where the entangled PDC 
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source sits in the middle between Alice and Bob. 



8.5.2 With two-way classical communication 



We can also apply the idea of post-processing with two-way classical communication. 
Similar to the argument in Chapter [61 we can apply the recurrence idea |118] and the B 
steps described in Section 16.1.11 The simulation results are shown in Figure | 
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Figure 8.4: Plot of the key generation rate in terms of the optical loss. We apply the 
recurrence idea and up to 3 B steps, /i is numerically optimized for each curve. 

From Figure I8.41 we can see that the recurrence scheme can increase the key rate by 
around 10% and extend the maximal tolerable loss by around 1 dB. The PDC experiment 
setup can tolerate up to a 70 dB channel loss with 3 B steps. Note that 70 dB (35 dB in 
each channel) is comparable to the estimated loss in a satellite to ground transmission 
|117j . This result suggests that satellite-ground QKD may be possible. However, this 
simulation assumes an ideal situation where an infinite number of signals are transmitted. 
Moreover, we assume that /i (the brightness of the PDC source) is a freely adjustable 
parameter in the PDC experiment. In a more realistic case where a finite number of 
signals are transmitted and /i is a fixed parameter, the tolerable channel loss becomes 
smaller, which will be shown next. 
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8.5.3 Statistical fluctuations 

In Eq. (18.111) . we assume that 5b and 5 P are the same due to the symmetry between X 
and Z measurements. Alice and Bob randomly choose to measure in X or Z basis. Then 
asymptotically, 5b is good estimate of 5 p . However, in a realistic QKD experiment, only a 
finite number of signals are transmitted. Thus 5 P may slightly differ from 5b- We assume 
that Alice and Bob do not perform error testing explicitly. Instead, they obtain the bit 
error rate directly from an error correction protocol (e.g., the Cascade protocol [16]). In 
such a case, there is no fluctuation in the bit error rate 5b = E\. On the other hand, the 
phase error rate may fluctuate to a certain value of 5 P = 5b + e. Following the fluctuation 
analysis of Ref . |106j , we know that the probability of getting an e bias is 

where n = NQx the number of detection events, the product of total number of pulses 
N and the overall gain Q\. 

In the 144 km PDC experiment |115] , the repetition rate of the pump pulse is 249MHz 
as given in Table mi As discussed in Ref. [117j . the typical time of a ground-satellite 
QKD allowed by satellite visibility is 40 minutes. Here, we assume the experiment runs 10 
minutes, which means the data size (the number of the pumping pulses) is N = 1.5 x 10 11 . 
By taking this data size, we considered the fluctuations for the entanglement PDC QKD. 

In a realistic case, the brightness of the PDC source fi cannot be set freely. In the 144 
km PDC experiment |115j . the expected photon pair number is fi = 2A = 0.053. After 
taking fi = 0.053 and the data size of N = 1.5 x 10 11 for the fluctuation analysis, the 
simulation result is shown in Figure 18.51 

We have a couple remarks about Figure 18.51 

1. In Figure [831 if we use the key rate of 10 -10 as the cut-off pointo, the entanglement 
PDC QKD with one B step can tolerate up to a 53 dB transmission loss. 

2. We have tried simulations with various /is. We find that the key rate is stable 
with moderate changes of fi. With the above fluctuation analysis, if we numerically 
optimize fi for each curve, the maximal tolerable channel loss (with cut off key rate 
of 10~ 10 ) is only 1 dB larger than the one given by fi = 0.053. Thus, one cannot 



1 Thcn the final key length is 15 bits. One should also consider the cost in the authentication procedure. 
Thus this is a reasonable cut off point. 
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Figure 8.5: Plot of the key generation rate in terms of the optical loss. We take a realistic 
fj, = 2A = 0.053, and consider a fluctuation with a data size (the number of the pumping 
pulses) of N = 1.5 x 10 11 and a confident interval of 1 — P t > 1 — e -50 . 

significantly improve the maximal tolerable channel loss by just using a better PDC 
source in the 144 km PDC experiment setup [115] . 

8.6 Conclusion 

We proposed a model and post-processing protocol for the entanglement PDC QKD. We 
find that the post-processing is simple by applying Koashi-Preskill's security proof due 
to the fact that the entanglement PDC QKD is a basis independent QKD. Specifically, 
only directly measured data (the overall gain and the overall QBER) are needed to 
perform the post-processing. By simulating a recent experiment, we compare three QKD 
schemes: coherent state QKD+aysmptotic decoy, triggering PDC+asymptotic decoy, 
and entanglement PDC QKD (source in the middle and on Alice's side). We find that 
a) the entanglement PDC (with source in the middle) can tolerate the highest channel 
loss; b) the coherent state QKD with decoy states can achieve the highest key rate in 
the medium- and low-loss regions; c) asymptotically, with a realistic PDC experiment 
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setup, the entanglement PDC QKD can tolerate up to a 70 dB channel loss by applying 
post-processing schemes with two-way classical communication; d) the PDC setup can 
tolerate up to a 53 dB channel loss when statistical fluctuations are taken into account. 



Chapter 9 

Quantum cryptanalysis 



In this chapter, we will discuss existing security loopholes in current QKD setups. We 
propose a technologically feasible attack and present possible solutions. Note that al- 
though the attack is proposed for the BB84 coherent state QKD implementation, the 
attack works for many other protocols as well. 

The theoretical work of the time-shift attack is published in Ref . • The security 
proof of efficiency mismatch is presented in Ref. [29]. Aside from the decoy state method, 
we also studied other methods to improve the QKD performance, such as dual detector 
scheme [9U| I9"2~| . Note that I am not the main contributor of these projects. I joined in 
discussions and helped work out the details. 

9.1 Side information 

In Chapter [21 we discussed various security analyses of QKD. In many cases, we assumed 
that Eve cannot learn about bit values or basis information directly from Alice and Bob's 
systems, e.g., by breaking into Alice or Bob's box. As we pointed out in Section [2~2| in 
the security proofs, many rely on the assumption of the squash model. In reality, the 
bit value or basis information might be revealed to Eve through some side channels. For 
example, two detectors used in QKD systems may have different properties, which might 
reveal to Eve partial information about the bit values. 

9.1.1 Detector inefficiency loophole 

Before examining the details of possible side information channels in current QKD setups, 
let us take a look at a fundamental reason for existence of these loopholes. 
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An important piece of evidence that indicates the validity of quantum mechanics is 
shown by the violation of the Bell inequality [5] and its descendant experiment verifica- 
tions (see for example, Ref. j5]). The experiments show that the concept of traditional 
local realism is inconsistent with quantum mechanics and then, with the real world. 
However, this verification has not been completely conclusive, since there exists certain 
loopholes in these experiments. See for example, [S3 EI21 ED] • 

Since entanglement is the precondition of QKD security [20] and the concept of entan- 
glement is closely related to Bell's inequalitju, a natural question is "Does this detector 
inefficiency loophole affect the security of QKD?" As we will show shortly, the answer is 
yes. 



9.1.2 Timing information 

In many QKD systems, detectors are operated in a gated mode in order to reduce the dark 
count rate. In general, the width of SPD's open window (a few ns) is often substantially 
larger than the laser pulse duration (a few hundreds ps). Here, we treat the signal pulse 
delta function in time-domain. 

Typically, Bob uses two separate single photon detectors, which are labeled as SPDO 
and SPD1, to detect bit "0" and bit "1", respectively. In real life, due to device imper- 
fections, the time-dependent efficiencies of the two detectors are not identical in general 
as shown in Figure 19.11 

Ideally, Alice and Bob can synchronize the laser pulse with the center of the time 
window (To in Figure I9TTT) . This ensures that a small detector efficiency mismatch will 
not affect the normal operation of the QKD system. In reality, the timing may be shifted 
by a small amount due to fluctuations or device imperfections^. Thus, the pulse timing 
contains information about the detector efficiencies, which may reveal the detection bit 
values. 

Note that other freedoms of the signal may also introduce similar problems. For 
example, two detectors may respond differently in the frequency domain [91J. In the 
following discussions, we will focus on the efficiency mismatch due to signal timing. 



1 Although entanglement does not promise violation of the Bell's inequality. 
2 Shortly, we will see that Eve may shift the pulse large for her attack. 
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Figure 9.1: The time-dependence efficiencies of single photon detectors (SPDs). 

9.2 Time-shift attack 

Recently, an eavesdropping attack that exploits this efficiency mismatch of detectors in 
the QKD system has been proposed [78]. In this attack, Eve intercepts and performs 
a complete von Neumann measurement on each quantum state sent out by Alice. She 
then generates a new time-shifted signal based on her measurement result and sends it 
to Bob. 

Note that to implement this attack in Ref . [78] , Eve will need a complicated detection 
(similar to Bob's system) and resend (similar to Alice's system) system. If we assume 
that Eve builds her "practical" eavesdropping device based on today's technology, she 
will also experience the problem of low detection efficiency and will introduce additional 
errors due to imperfections in her setup. 

Based on this work, we propose a simple practical attack: time-shift attack [90]. In 
our attack, Eve does not measure the quantum state that is sent to Alice. Instead, Eve 
simply shifts the arrival time of either the signal pulse or the synchronization (reference) 
pulse or both between Alice and Bob. Consequently, Eve has control of the arriving time 
of the pulse. For example, she shifts the pulse to to in Figure 19.11 and then Bob claims a 
detection event of that pulse. Now, Eve knows with a high probability that SPDO clicks. 
Hence, she can guess Bob's measurement result 0. In an extreme case where there is a 
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complete detector efficiency mismatch^ , Eve can acquire full information on the final key 
without introducing any error. In other words, a naive application of standard security 
proofs, for instance, the GLLP [35] security analysis, without taking into account the 
detector efficiency mismatch is invalid. 

Figure 19.21 shows a schematic diagram for the experimental realization of the time- 
shift attack. Instead of measuring Alice's quantum state, Eve just randomly shifts the 
time of Alice's quantum state to make sure that it arrives at Bob's detector at either 
time to or t\. When Eve chooses time t and Bob detects a signal, with the probability 
of ?7o/(?7o + the bit value will be "0". Here, we assume that the detector efficiencies 
of SPDO and SPD1 are i]q and rji at time to and Alice chooses bit "0" and "1" with an 
equal prior probability. Because the probability that Eve incorrectly guesses Bob's bit 
value is 771/(770 + ?7i)> therefore, Eve's knowledge about the final key is given by: 



I(B : E) = 1 - H 2 



V0 + V1 



)■ 



(9.i; 



Note in this attack, Eve does not measure Alice's state. Therefore, Eve will not introduce 
extra errors. Due to the symmetry, the same analysis can also applied to the case when 
Eve chooses t\. 




Figure 9.2: A schematic diagram of Eve's attack. HOS: high-speed optical switch. 

In comparison with the attack in Ref. [75], our attack is simpler and can be easily 
realized with today's technology: Eve can use high speed optical switches to re-route 
Alice's signal through either a long or short optical path to achieve the desired time 
shift. Another advantage of our attack is that Eve will never introduce errors. Therefore, 
it is difficult for Alice and Bob to detect Eve's presence. 

For details of the time-shift attack, one can refer to Ref. [90]. Note that our time-shift 
attack was experimentally realized in our lab [130J. 



3 That is to say, there is a time window where SPDO (or SPD1) is active while SPD1 (or SPDO) is 
completely inactive. 
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9.3 Security against time-shift attack 

Now that we know about the time-shift attack, we can provide a secure QKD against the 
attack. There are two approaches: hardware based and software based. In the hardware 
based approach, we perform some counter measurements or improve the system setups. 
In the software based approach, we provide a security analysis with detector efficiency 
mismatch. 

9.3.1 A simple solution 

To counter Eve's attack, Alice and Bob could develop various countermeasures, such as 
those discussed in Ref. [78]. Note that a recently proposed single SPD QKD system is also 
immune to this attack [58J. In a phase encoding BB84 version of this design, instead of 
randomly selecting from a set of two values, Bob's phase modulation is randomly selected 
from a set of four values, which is identical to the set for Alice's phase modulation. In this 
case, Bob not only randomly chooses his measuring basis for each incoming pulse, he also 
randomly determines which SPD is used for detecting bit "0" or bit "1" . Bob broadcasts 
his basis choice, but keeps his choice of detector (for the bit "0" or "1") secretly. In such 
a set-up, even if Eve has information about which detector clicks, Eve still cannot work 
out Bob's bit value because she does not know which detector corresponds to the bit "0" . 
Bob's random choice of detectors to detect the bit "0" or "1" will even out the efficiency 
mismatch. 

9.3.2 Security proof for a QKD system with detector efficiency 
mismatch 

Here, we will only discuss the security proof for a simple scenario: single photon source, 
noiseless channel and the efficiencies of two detectors, which are tjq and rji, to detect 
the bit "0" and "1"0. For a full discussion of the security proof for a QKD system with 
efficiency mismatch detectors, one can refer to Ref. [2§] . 

In this simple QKD picture, Eve does not introduce any bit or phase errors, but only 
intervenes in the auxiliary dimension to gain side information. As discussed in Section 
I2.4[ the state shared by Alice and Bob after transmission (Eve's intervention) and basis 

4 In real time-shift attack, Eve might shift the pulse in various positions. Here, we only consider one 
point that will cause a detector efficiency mismatch. In general, 770 and r\\ can be characterized by a 
tensor in the auxiliary dimension (for instance, time domain). 
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reconciliation is 

(|00) + \11)) AB h-> (v^ |00) + Vv^ab (9.2) 

Eve does not introduce any bit errors and she simply attaches an extra system T, by 
shifting the timing of the signals that represents her intervention in the auxiliary dimen- 
sion. 

With a hashing based EDP [13], the amount of EPR pairs that Alice and Bob can 
distill from the final state is ^2(^0/ (^/o + Vi))> which is consistent with the result of 
Eq. ( 19.11) . Note that when 770 7^ 771, the key rate is less than 1 in comparison to the 
perfect case of R = 1. 

9.4 Discussion 

From this cryptanalysis exercise, we learn that a security proof is only as good as its 
underlying assumptions. Once a security loophole has been discovered, it is often not very 
difficult to develop countermeasures that will plug the loophole and regain unconditional 
proofs of security of the QKD system. One example is the time-shift attack that we 
mentioned above. However, the difficult part is how to identify such security loopholes in 
the first place. A QKD system is a complicated system with many intrinsic imperfections. 
It is, thus, very important to conduct extensive research on such imperfections carefully 
to determine if they are innocent or fatal for security. We need more quantum hackers in 
the field. The investigation of loopholes and countermeasures in practical QKD systems 
plays a complementary role to security proofs. 

Given that a practical QKD system will always have imperfections, one might wonder 
if QKD systems offer any real advantages over conventional systems. Our answer is 
three-fold. First of all, implementation loopholes are a fact of life. Even conventional 
security systems, such as smart cards, suffer implementation loopholes. For instance, 
Eve may attempt to read off a private key from a smart card by using various techniques 
(including X-ray) to reverse-engineer the circuit embedded in a smart card. Secondly, 
QKD can be used in concatenation with a conventional system to ensure security. By 
defending in depth, QKD can only increase security, not reduce it. Thirdly, QKD has 
an important advantage of being future-proof: The signals are quantum. Once the 
transmission is done, there is no transcript for the transmission. For an eavesdropper to 
launch a quantum attack, she has to possess much of the quantum technology during the 
quantum transmission. In contrast, in a standard Diffie-Hellman public-key key exchange 
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scheme, Eve has a complete transcript of the transmission and can save such a transcript 
for decades to wait for unexpected future advances in hardware and algorithms. Given 
that public key crypto- systems are an unexpected discovery made only three decades ago, 
our view is that it will be complacent to believe that our standard public key crypto- 
systems will be safe forever. Therefore, it pays to reduce one's risk by defending in depth 
with a QKD system in concatenation with a conventional cryptosystem. 
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Conclusions and outlook 

In this chapter, I will conclude my thesis by summarizing the results of my Ph.D. study 
and stating some interesting topics for future research. 

10.1 Decoy state QKD 

The major topic in my Ph.D. study is decoy state quantum key distribution (QKD). The 
main results are presented in Chapters 0], [6] and [7J 

Recall that the motivation of this thesis is to bridge the gap between theory and 
practice of QKD. One of the major problems in a practical QKD system is that a sin- 
gle photon source is difficult to obtain with current technology. Now, with the decoy 
state method, the key rate is linearly dependent on the channel transmission. Note that 
this is the highest order that the key rate can reach even with a perfect single photon 
source. Hence, with decoy states, one can treat weak coherent state sources and trigger- 
ing parametric down-conversion (PDC) sources as good single photon sources for QKD 
setups. 

For practical implementations, we showed that with only one or two decoy states, 
one can achieve most of the benefits of the decoy state method. Further improvement 
for the decoy state QKD was studied by considering two-way classical communication 
in the post-processing step. With our two-way classical communication based schemes, 
one can obtain a performance that is close to the theoretical limit. We also investigated 
the decoy state method for other photon sources, triggering PDC source. With similar 
results concluded, we expected the decoy state QKD to become a standard technique not 
only in the coherent state QKD, but also in QKD with triggering PDC sources. 
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All the decoy state QKD experiment demonstrations, including our first realization, 
showed that the decoy state idea is easy to implement in real system setups. Therefore, 
we conclude that the practical quantum cryptography is close to real-life applications. 

10.2 Other topics 

As an extension of the decoy state QKD work, we searched for other techniques to 
improve the QKD performance of practical systems. We proposed a dual detector scheme 
to improve the case when fast and noisy detectors are in use. 

We also investigated other QKD protocols, such as the entanglement based QKD 
protocols. By simulating a recent experiment, we showed that a) with an entangled PDC 
source in the middle, the QKD setup can tolerate highest channel loss comparing to 
decoy state QKD protocols; b) the coherent state QKD with decoy states can achieve 
the highest key rate in the medium- and low-loss regions. 

Security is the most important issue in QKD. We studied various eavesdropping attack 
schemes in quantum cryptography. We proposed a technologically feasible attack scheme 
and presented possible solutions. Note that although the attack is proposed for the BB84 
coherent state QKD implementation, the attack works for many other protocols as well. 
We also studied the countermeasures against this attack. We provided a security proof 
for a QKD system with detector efficiency mismatch. 

10.3 Future work outlook 

In the future, one interesting topic is a natural extension of my previous work: enhancing 
the performance of practical QKD systems. Further improvements, both in key rate and 
secure transmission distance, are required for some applications. Another crucial point 
is that, in real life, one needs to consider some extra disturbances (e.g., quantum signals 
may share the channel with regular classical signals). The final goal is to achieve a 
customer friendly QKD system that can be easily integrated with the Internet. 

To achieve an intercontinental transmission distance, ground-satellite QKD is a 
promising proposal. One interesting project is to test the feasibility of ground-satellite 
QKD. In Chapter [HI we have preliminarily studied the feasibility of ground-satellite QKD 
with the current entangled photon source. Previously, we used a beam splitter as a chan- 
nel model for ground-satellite QKD. A study of the disturbance of atmosphere is needed 
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to develop a more realistic model for the ground-satellite channel. By modeling and 
simulating, one can investigate the requirement for QKD components. For example, 
what efficiency and noise level of single photon detectors are required and how large 
the telescope is needed. Meanwhile, it is interesting to explore good QKD schemes for 
ground-satellite QKD. 

To achieve a higher QKD key rate, one can consider other QKD protocols. Contin- 
uous variable QKD is proposed to achieve a higher key rate in the short and medium 
transmission distance. One open question is the security of continuous variable QKD. 
This is an appealing topic in the field. Modeling and simulations for continuous variable 
QKD are also interesting. 

Statistical fluctuations need to be considered in QKD with a finite key length. There 
is some work on this topic recently (e.g., by Renner [96]). One interesting topic is to 
apply Koashi's complementary idea [53] to finite key QKD and compare it with prior 
results. 

It has already been known that one can realize quantum gates by quantum telepor- 
tation [33]. There are some proposals for the experimental quantum computation with 
linear optics [17]. However, the scalability is a huge challenge. As yet, no one knows 
how to build a large scale quantum computer. A long-term challenge in the field is to 
find a practical proposal for a quantum factoring machine with current technology. Here 
a interesting topic is that whether those techniques developed in QKD could be useful 
to quantum computing. For instance, can the restrictions in single photon source be 
loosened by applying decoy idea? 



Appendix A 

Abbreviations and mathematical 
derivations 

A.l Abbreviations 

The following abbreviations are used in this thesis. 

• QKD: quantum key distribution 

• BB84: the QKD protocol presented by Bennett and Brassard in 1984 [11] 

• EPR pair: a maximally entangled photon pair that originated from the Einstein- 
Podolsky-Rosen paradox [5H] 

• EDP: entanglement distillation protocol 

• LOCC: local operations and classical communication; 1-LOCC: local operations and 
one-way classical communication; 2-LOCC: local operations and two-way classical 
communication 

• PDC: parametric down-conversion 

• GLLP: the security proof of QKD with imperfect devices proposed by Gottesman, 
Lo, Liitkenhaus, and Preskill [35] 

115 



Appendix A. Abbreviations and mathematical derivations 



116 



A. 2 Key rate of the recurrence scheme with an ideal 
single photon source 

In this section, we will review the recurrence EDP and develop the key generation rate 
formula given by: 

R = q-r, (A.l) 

where q is the basis reconciliation factor and r is the residue of post-processing which we 
will find in the sequel. In the following, we use the same notation as in Section 12.41 and 
consider a Bell diagonal state (q 00 , q w , qn, g i)- 

A. 2.1 Parity check 

As the first step of recurrence, Alice and Bob check the parity of two pairs (labeled by 
control qubit C and target qubit T). They will get an even parity if the two pairs are in 
one of the following states: 

0000, 0001, 0100, 0101, 1010, 1011, 1110, 1111, 

and will get odd parity if they are in one of the following states: 

0010, 0011, 0110, 0111, 1000, 1001, 1100, 1101, 

where the first two bits represent the control qubit, and the last two bits represent 
the target qubit. That is, ij represents the Bell state \il>ij) as given in Eq. (12.21) with 
i, j = 0, 1. For example, 1110 means that there is a bit error and a phase error in the 
control qubit (|^n)), and a bit error and no phase error in the target qubit ( | V'io) ) • Thus, 
the probability to get an even parity is given by: 

Ps = (Qoo + QoM + Qoi) + (<?i C o + QnMo + In) (A 2) 

= (i-tf)(i + 

where 5^ = g^, + and 5j = qf + q u are the bit error rates of the input control and 
target qubits, respectively. During the parity check, the number of pure EPR pairs (or 
secret bits) that Alice and Bob need to sacrifice is given by: 

~# 2 (ps), (A.3) 

where the factor 1/2 is for the reason that Alice and Bob compute the parity of two-qubit 
pairs at one time. 
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After the parity check, the qubits are divided into two groups, qubits with even parity 
and odd parity. In the following, we will discuss the error correction and privacy ampli- 
fication on these two groups separately. The recurrence protocol appearing in Ref. |118] 
only performs error correction on qubits with even parity. 



A. 2. 2 Error correction 

For even parity qubits, we can see that the bit error syndrome of control qubits will be 
the same as that of target qubits. Thus, Alice and Bob only need to do error correction 
on the control (or target) qubits. Similar to Eq. (16.31) . the bit error rate of control qubits 
after recurrence is given by: 



~ 5 c = (Qio + Qii)(qTo + qTi) = W ( A4) 
Ps Ps 



where ps is the probability of even parity in the recurrence given by Eq. flA.21) . Therefore, 
Alice and Bob need to sacrifice a fraction: 

= l -p s H 2 {^) (A.5) 

l A p s 

to do the overall error correction. The factor 1/2 is due to the fact that control qubits 
have the same error syndrome as target qubits. 

Therefore, the residue of data post-processing can be expressed as: 

1 1 () C S T 

r = --H 2 {p s ) - p s H 2 {^) + K (A.6) 
I i p s 

where ps is given in Eq. ( 1A.2I) . 5^' and 5^ are the QBER of control and target qubits 
respectively, and K is the residue of privacy amplification, which we will focus on in the 
following discussion. 



A. 2. 3 Privacy amplification 

Alice and Bob perform privacy amplification to the qubits with even and odd parities 
separately. 

Even parity: Now, Alice and Bob already know the bit error syndrome. The control 
and target qubits have the same bit error syndromes, but may have different phase error 
syndromes. Thus, Alice and Bob can divide the even parity qubits into four groups: con- 
trol qubits with bit error syndrome and 1, and target qubits with bit error syndrome 
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and 1, and treat these groups separately in the privacy amplification step. The proba- 
bility of each group (summing together the even parity probabilities given in Eq. (1A.2I) ) 
is given by: 



loo 



+ Qoi) (?oo + Qoi) (?io + 9u) (Sio + Qu) (Qoo + ?oi) (%o + Qoi) (?io + 3u) (?io + ?ii 



2 

with phase error rate: 



C C T T 

Qoi Qii %\ Qii 



Qoo + Qoi ' Qio + Qii ' Qoo + Qoi ' 3w + Qu ' 

Since the error syndrome of each group of qubits is known to Alice and Bob, privacy 
amplification can be applied to the different groups separately. Then, Alice and Bob 
should sacrifice a fraction: 



(Qoo + Qqi)(Qqo + Qoi) rr f Qoi (gj+gnKg^+gn) g , gn 

ri2\—r, pr) H U2\—^ pr 

(gTO + g£)(gOQ + goi) rr / goi X , (g^+j£KglO + gjl) rr / gjl 

2 ^ ( 2oT^l } + 2 ^q^Tql 



(A.7) 



to do the privacy amplification. Given the bit and phase error rates of input control and 
target qubits 5^ = + q^ and <5j = q u + q^ x , Eq. ( 1A.7I) can be written as: 

^(1 - ^ C )(l - Sl)[H 2 ( 5 -f^) + ^(f^)] + + H 2 (^)}. (A.8) 

Thus, the privacy amplification residue of even parity qubits is given by: 



K even = P8 - \{i - af )(i - tf)[ft(fr|r) + ^(frl 1 )] - + ^ 2 (^)]. 

(A.9) b 

Odd parity: It turns out that pairs with odd parity during the recurrence can also 
contribute to the final key |118] . Instead of including them in the error correction, Alice 
and Bob measure one of the two qubits and hence, they know the bit error syndrome of 
the remaining qubit. They can then proceed with privacy amplification on these qubits. 

Suppose Alice and Bob always choose to measure the target qubits and obtain the 
error syndrome of the control qubits. Similar to the even parity case, now, Alice and 
Bob can divide the control qubits with odd parity into two parts in accordance to the 
bit error syndrome. The probability of each part is given by: 

(Qoo + Qoi) (Qw + Qu) (Q?o + Q?i)(qIo + Qoi) 
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with a phase error rate: 



With the same argument as Eq. ( 1A.7I) . the number of qubits that need to be sacrificed 
to privacy amplification is given by: 



^[(1 " W^f^r) + «f (1 " ^(f)] 



(A.10) 



Hence, the privacy amplification residue of odd parity qubits is given by: 



k oM = \{i - s?)$[i - ^(fr^)l + - Ofi - ^(^)] (a.ii) 

Therefore, the privacy amplification residue, A' in Eq. flA.6j) . by adding Eqs. (IA.9I) 
and flA.lip and substituting Eq. (|A.2j) . is given by: 

= 1 " ^(1 - W - - 5 b T ) " ^(1 " S°)H 2 {^&) - \%H 2 (&) (A 12) 

Note that there are two free parameters and gf x in Eq. (1A.12|) . which should be 
minimized over to lower-bound the key rate. 



A. 3 Security against basis dependent source 

Here, we derive Eq. (16.81) in Section 16.1.31 Rewriting Eq. (9) of [50] gives: 

VF<y/(l- 5 bx )(l - 5 pz ) + v^^:, (A.13) 

where F is the fidelity between the two states with two bases (X and Z) sent by Alice, 
5bx is the QBER of X-basis states from error testing, and 5 pz is the phase error rate of 
the Z-basis stated- Similarly, we have another inequality between the QBER of Z-basis 
states 5b z , and the phase error rate of X-basis states S px : 

y/F<yJ(l- 6 b2 )(l - 6 px ) + ^Jp~ x . (A.14) 

1 Note that we have used different notations from those in Ref. [50]. By letting Si = Sb x and 6 p h = S pz , 
and substituting Eq. (3) of [50] , we can recover Eq. (9) of [50] from Eq. (|A.13j) . 
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Adding Eqs. (IATT31) and (IA~T4l) gives: 

< ^ (J (1 - S bx )(l - 5 pz ) + v 7 8bx<5 P z + \fiy- <^6z)(l - 5 px ) + v / 0^"j 

< ^/(l - + 5 bz )/2)(l - (5 pz + 5 pa! )/2) + y/ (5 bx + 5 bz )/2(5 pz + 5 px )/2 ( A - 15 ) 
= ^(1 -S b )(l -S p ) + 

where the second inequality is due to the concavity of the function a/(1 — x)(1 — y) + y/xy 
in [0, 1] x [0, 1] and we have used the definitions 5 b = (5 bx + S bz )/2 and 5 P = (5 pz + 5 px )/2. 
Here, we assume the number of received qubits with Z basis and X basis is the same. 



A. 4 Residue for the Decoy+GLLP+Recurrence 
scheme 

We calculate the residues, K iy in Eq. (16 . 1 9[) for the five cases: S0V, 505, 

S (J) M, M S. Here, we apply each case, with parameters shown in Table 16.11 into 
Eq. ( 1A.12I) to calculate each Ki. 

V05 1 : the probability of this case is flys = &vQ- 



K vg = l--- -H 2 (l - 2q v ll ) - -H 2 (2q^) - -(1 - e x )H 2 j - -e,H 2 f - 

1 1/. x TT ( &\ — a\ 1 TT / a 

> - - - 1 - ei # 2 r - 7 ei^ 2 - 

4 4 \.l-ei/ 4 \.ei 

(A.16) 

with equality when q\ l = 1/4. This is due to the concavity of function H 2 (-). 
S © V: the probability of this case is Qys — fiyfi. 

Ksv > 1 - \ - \{l - e 1 )H 2 (^^j - l - ei H 2 (£) - 1(1 - e x )H 2 (l - 2q( l ) - \e x H 2 



with equality when g}^ = 1/4. 

5 © S: the probability of this case is ttyy — 

1 , \ / e-i — a \ 1 /a 
*„ = 1 - e l( l - ei ) - -(1 - J - 



(A.17) 



(A.18) 
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1/ 1 1 / n/ci — a\l /a" 

Ksm = 1 - je,(l - e„) - -e„(l - ej - -(1 - e,)ff 2 [y^TJ ~ 2* 1 2 W 

(A.19) 

with equality when qf( = e^i/2. 



M (J) S: the probability of this case is Qms — QriQ- 



Kms = ! _ i eM{l _ ei) _ i ei(1 _ ejf) _ i (1 _ CA()ff2 gzg) _ i eifjr „ (C 



-(1 - ei)(l - e A /)# 2 ( ^ -J - reie M i?2 ( — 

2 Vi-ei/ 2 V e i 



with equality when gff = ejw/2. 



(A.20) 



Therefore, the data post-processing residue of the Decoy+GLLP+Recurrence scheme 
will be given by substituting Eqs. (TA~T6| . flA~17l) . (tOSl) . (t09l) and fbA20l) into 
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Eq. (1Q9|) : 



1 1 5 2 5 2 

- ^f(p S )H 2 (p s ) - Vs fC-)H 2 C- 
2 Ps Ps 

- ^f(Ps)H 2 (p s ) - \p s f{-)H 2 {-\ 
z z Ps Ps 



1 



K 



vs 



K 



sv 



K, 



ss 



1 



{l-e 1 )H 2 



ei 



a 



5-5(1-*)* 



1-ei 

ei — a 



ei 



+ Q 2 [l-e 1 (l-e 1 )--(l-e 1 )H 2 



:etH 2 



- 2 e,H 2 



e\ — a 



ei 



- 2 e,H 2 



~(l-eifH 2 



ei 



ei 



+ fifi A ,[i-I(l-e 1 )Jf 2 



- 



ei 



ei 



pi 



7^i# 2 - 



ei 



+ tttt M [- - 2 e M(l - ei) - -ei(l - e M ) 



--(l- ei )(l-e M )iy 2 



e\ — a 



with equality when qY l 
define some variables: 

1 

2 

3 



1-ei 
1/4 and qff 



-e\e M R 2 



K 



SM 



Kms 



(A.21) 



Cm/2. In order to simplify this formula, we 



5 



f{Ps)H 2 {pi 



\p s f{-)H 2 {-) 
2 P5 Ps 



^fiyfi + fi 2 (l -e 1 + e\) + -f2f2 A /(2 - e x - e M + 2eie M ) 



Dl = + ifi 2 (2 - ei ) + l -m M {2 - e M ) 

3 1 1 

D 2 = -tt v tt + -tt 2 (l + ei) + -fifi A /(e A / + 1) 

Thus, Eq. (I6.20p can be expressed as: 



(A.22) 



B + K 



vs 



K. 



sv 



K, 



ss 



K SM + K 



MS 



> 



B + C- F a 



(A.23) 



where 



F a = D l {l-e 1 )H 2 { 



gi - a ^ 



D 2ei H 2 (-] 
ei 



(A.24) 



with equality when q\ x = 1/4 and gff = cm/2. 

To obtain the lower bound r in Eq. ( 1A.23I) . we need to find the maximum value of 
F a over the free variable a. We are interested in the range of a G [0, with e\ < 1/2. 
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Note that F a is a concave function of a in the valid range, since a sum of two concave 
functions is also a concave function, and reflecting and shifting a concave function is also 
a concave function. Thus, we can take the derivative of F a with respect to a and set it 
to zero to find the maximum of F a . Differentiating F a with respect to a gives: 

log2 ( 1_ ^)~ log2 w. 

Setting 2~df = 1 gives 




Denoting the left-hand side to be /(a), /(a) is a decreasing function of a since is a 
decreasing function of a. Therefore, we can use the bisection method to find a such that 
f(a) = 1. The initial range for the bisection method is [0, ei]. 



dFa 
da 



D 1 



log 2 



e\ — a 
1-ei 



log 2 



e\ — a 
l-e l 



+ A 



A.5 QBER for entanglement PDC QKD 

Here, we will study the quantum bit error rate (QBER) of the entanglement PDC QKD. 
Our objective is to derive the QBER formula given in Eq. ( 18.91) used in the simulation. 
The QBER has three main contributions: 

1. background counts, which are random noises e$ = 1/2; 

2. intrinsic detector errors, e<j, which is the probability that a photon hits the erroneous 
detector. e d characterizes the alignment and stability of the optical system between 
the detection systems of Alice and Bob; 

3. errors introduced by multi-photon-pair states: a) Alice and Bob may detect differ- 
ent photon pairs; b) double clicks. Due to the strong pulsing attack [69], we assume 
that Alice and Bob will assign a random bit when they get a double click. In either 
case, the error rate will be eo = 1/2. 

Let us start with the single-photon-pair case, a Bell state given in Eq. (]8.4j) . The error 
rate of single-photon-pair e\ has two sources: background counts and intrinsic detector 
errors: 

(gg ~ e d )T] A T] B . . 

d = e — (A.25) 
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If we neglect the case where both background and true signal cause clicks, then e\ can 
be written as: 

e (Y 0A Y 0B + Y 0A r] B + r) A Y 0B ) + e d r) A r) B , A na \ 

e x « 77 • (A.2o) 

^ 1 

where Cq = 1/2 is the error rate of background counts. The first term of the numerator is 
the background contribution and the second term comes from the errors of true signals. 

In the following, we will discuss the errors introduced by multi-photon pair states, 
e n with n > 2. Here, we assume that Alice and Bob use threshold detectors. One can 
imagine the detection of an n-photon-pair state as follows. 

1. Alice and Bob project the n-photon-pair state, Eq. (18.31) . into Z® n basis. 

2. Afterwards, they detect each photon with certain probabilities (j] A for Alice and 
t/b for Bob). 

3. If either Alice or Bob detects vacuum, then we regard it as a loss. If Alice and Bob 
both detect non- vacuum only in one polarization (•*->• or \), we regard it as a single 
click event. Otherwise, we regard it as a double click event. 

The state of a 2-photon-pair state, according to Eq. (18. 3j) . can be written as: 
|$ 2 > = -4(|2,0) a |0,2) 6 - lM)a|l,l) 6 + |0,2) a |2,0) 6 



v/3 

7! [l 



4=[| — >a| tt>6 - k\ -I) + I t~»o ® (I M + I ~t»6 + I II>.I — >6]- 



(A.27) 

As discussed above, Alice and Bob project the state into Z <g> Z basis. If they end 
up with the first or the third state in the bracket of Eq. (1A.27|) . they will get perfect 
anti-correlation, which will not contribute to errors. If they get the second state in the 
bracket of Eq. ( 1A.27I) . their results are totally independent, which will cause an error with 
a probability eo = 1/2. Thus, the error probability introduced by a 2-photon-pair state is 
1/6. Here, we have only considered the errors introduced by multi photon states, which 
is item 3 discussed in the beginning of this Appendix. We should also take into account 
the effects of background counts and intrinsic detector errors. With these modifications, 
the error rate of 2-photon-pair state is given by: 

e2 = eo - Sfa -■*)'][! -(l-frOI (A.28) 

3Y2 

where Y% is given in Eq. (EE]). Eq. |[08j> can be understood as follows. Only when 
Alice and Bob project Eq. ( 1A.27I) into | <-m->)o| X\)b or \ ||) | ^^)b and no background 
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count occurs, they have a probability of to get the wrong answer. Given a coincident 
detection, the conditional probability for this case is 2[1 — (1 — 77a) 2 ] [1 — (1 — Vb) 2 ]/3Y 2 . 
All other cases, a background count, a double click and measuring different photon pairs, 
will contribute to an error probability eo = 1/2. 

Next, let us study the errors coming from the state \n — m,m) a \m,n — m)b. When 
Alice detects at least one of n — m | J) photons, but none of m | <->) photons, and Bob 
detects at least one of n — m | <->) photons, but none of m \ \) photons, or both Alice and 
Bob have bit flips of this case, they will end up with an error probability of e^. Given a 
coincident detection, the conditional probability for these two cases is: 

^-{[1 - (1 - VA ) n - m }(l - VA) m [l - (1 - VB) n ~ m }(l - VBT 
i n 

+ [1 - (1 - VA ) m ](l ~ VA) n - m [l " (1 " VB) m ]il ~ VbT-" 1 }- 



When Alice detects at least one of n — m \ \) polarizations, but none of m \ *->■) polar- 
izations, and Bob detects at least one of m \ |) polarizations, but none of n — m \ 
polarizations, or both Alice and Bob have bit flips of this case, they will end up with an 
error probability of 1 — e<j. Given a coincident detection, the conditional probability for 
these two cases is: 

^{[1 - (1 - VA ) m }(l - VA ) n - m [l - (1 - V B) n - m }(l - VbT 
+ [1 - (1 - ^) n " m ](l - tmHI - (1 - VB ) m ](i - V B) n - m }- 



For all other cases, the error probability is eo- Thus, the error probability for the state 
\n — m, m) a \m, n — m) b is: 

e nm =e - ^^{(1 - VaT'^I ~ VB) n ~~ m [l - (1 - ^) m ][l - (1 - VbT] 

in 

+ (1 - n A )™(\ - VB ) m [l - (1 - r /A )"" m ] [1 - (1 - r] B ) n - m } 

- (1 - VA ) n - m (l - VB ) m [l - (1 - VA ) m }[l - (1 - VB ) n ~ m ] (A.29) 

- (1 - VA r(l - r, B y- m [l - (1 - r) A r- m ][l - (1 - VB ) m ]} 

=eo ~ ^^[(1 - VA) n - m - (1 - VaTW - VB) n ~ m - (1 - VbT] 
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In general, for an n-photon-pair state described by Eq. (18.31) . the error rate is given 

by: 



n , 

m=0 



1 1 ^2 6nm 

m=0 

1 - — 

^2 eo _ %^±[{\ - VA )<™ - (i - VA r\ [(i - VB r~ m - (i - VB y 



n 

eo - e d 

e 



T^fr E^ 1 " ^) n_m " C 1 - ^) m ][(l " - (1 - 

/ n ™— n 



n , 

m=0 



e 2(e - eg) 1 - (1 - y A ) n+1 (l - VbT +1 (1 - VaT +1 - (1 - gg)^ , 

60 (n + i)y; [ i-^-^)^-^) vb-va 1 

(A.30) 

The overall QBER is given by: 



oo 
n=0 



£aQa =^e n 7 n P( 

2(e - e d )\ n A - (1 - ^) n+1 (l - r/ B ) ?1+1 (1 - V aY 1+1 - (1 - ^) 



n=0 



(1 + A )"+2 L 1 _ (1 _ VA )(l - VB ) Vb - TJA 



2(e - e d )r) A r) B \(l + A) 



(1 + r) A X)(l + ?7bA)(1 + r] A X + 7/ B A - r] A r] B X) 

(A.31) 



where Qa is the gain given in Eq. (18. 8|) . 



Appendix B 
Optimal ji 



In this appendix, we will discuss the optimal expected photon number \x for various 
protocols. 

B.l Coherent state QKD 

Here, we will discuss the optimal choice of the expected photon number /x of the coherent 
state QKD with and without decoy states. 

Let us start with a generic discussion. On the one hand, we need to maximize the 
probability of a single photon detection, which is the only source of the final secure key (for 
BB84). To achieve this point, we should maximize the single photon sources. Considering 
a weak coherent state photon sources in accordance to the Poisson distribution of the 
photon number as shown in Eq. (13.31) . the single photon source reaches its maximum 
when fi = 1. On the other hand, we have to control the probability of the multi photon 
detection to ensure the security of the system. Thus, we should keep the untagged 
states (single photon states) ratio large, which requires /i to be not too large. Therefore, 
intuitively we have: 

n e (0,1]. 

B.l.l Without decoy states 

Here, we will consider the case of the coherent state QKD without decoy states, following 
the discussion in Ref. [70]. Assume that Alice and Bob apply the GLLP security analysis 
as discussed in Section 12.51 We desire to get an optimal value of fi that maximizes the 
key generation rate R in Eq. (12.61) with other parameters fixed. The key parameters here 
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are the overall transmittance r\ given in Eq. (13.41) . background rate Y , and the intrinsic 
detection error rate e^. 

Let us make an approximation first: if the background contribution is negligible, that 
is, Y <^ T), then from Eqs. (13. lip : 

O — 1 — e~ m 

(B.l) 

E„ = e d 

Then according to Eq. (14. ip . the estimation of Qi and e\ is: 



oo 

l= 2 %l 



ei < 



;i + /i)e"^-e- w ( B - 2 ) 
e d (l - e-w*) 



1 + (i)e-i* - e-w 



Then we can substitute these approximations into the key rate formula Eq. (12.61) and 
take the derivative of /i to get the optimal \i. 

R<\{Q»-Pm) 

= ^K 1 + ^) ex P(-^) - ex P(-^)] 

with the pessimistic assumption Eq. (14. ip . This expression is optimized if we choose 
A* = f^o P timai, which fulfills: 

— /iexp(— jj) + r]exp(—r]fi) = 0. 
Since for a realistic setup, we expect that jj/j < 1, we find: 

VOptimal ~ V- ( B -3) 



We use the numerical analysis to verify Eq. (IB. 3|) . When we keep all parameters fixed 



and vary the expected photon number fi of the signal, we can determine the fioptimai to 
maximize the key generation rate by Eq. (12. 6p . If we fix the background rate Y and 
the probability of erroneous detection ed, and vary the transmittance 77, we can draw the 
relationship between the optimal fioptimai and rj. The result is shown in Figure lETTl from 
which we can see that Eq. ( 1B.3h is a good approximation. 
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Figure B.l: Plot of the optimal expected photon number \i as a function of transmittance 
rj for the coherent state QKD+non decoy. The parameters used in the simulation are 
listed in Table [3711 Here, we numerically calculate the optimal \x that maximizes the key 
generation rate by Eqs. ( 12.61) and ( 14. ip . In the regime around rj ~ 0, the key rate is 0. 
Thus, there is no point to talk about optimal /x in that regime. 



B.l. 2 With decoy state 



In principle, Alice and Bob can estimate Q\ and e± accurately with the decoy state. 



Hence, /^optimal should maximize the untagged states ratio Q 
expect that ^optimal should be greater than (lB.3p . 



Qi/Q^. Thus, we can 



Let us start with a numerical analysis on Eq. (12.61) directly. For each distance, we 
determine the optimal /x that maximizes the key generation rate. The result is shown in 
Figure lB~2l We can see that the optimal /x for GYS is around 0.48 when f(8) = 1.22. 



Now, we would like to do an analytical discussion under some approximations. We 
take the approximations Y <C rj <C 1. Then Eqs. (13 ,7p . (13.91) . (13.81) and (13.101) are reduced 
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Figure B.2: Plot of the optimal expected photon number \i as a function of transmittance 
r\ for the coherent state QKD+infinite decoy. The parameters used in the simulation are 
listed in Table I3.ll 



to: 

Qi = 

ei = e d 

Qn - vt* 

E^ = e d 

Substituting these formulas into Eq. (I2.6p . the key generation rate is given by: 

R « \{-Wf{e d )H 2 {e d ) + we^l ~ H 2 (e d )]} 
The expression is optimized if we choose /i = /^optimal which fulfills: 

1 - fj) exp -/i = ■ B.4 

1 - H 2 {e d ) 

Then we can solve this equation and obtain, by using f(5) = 1.22: 

« 0.48 

where for the GYS experiment, e d = 3.3%, as listed in Table [37T1 In comparison of this 
result to Figure IB. 21 we can see that Eq. ( 1B.4I) is a good approximation. 
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B.2 Triggering PDC QKD 

Here, instead of numerically optimizing [i as implemented for Figure (17.21) . we qualita- 
tively investigate the optimal [i for the triggering PDC QKD with and without decoy 
states. We are interested in the case where Alice uses a threshold detector. 



B.2.1 Without decoy states 

Let us begin with the optimal fi of the case without decoy states. Here, we will apply 
the GLLP [35] security analysis. As shown in Ref. [73], GLLP and Liitkenhaus's [TO] 
security analyses achieve similar performances for the coherent state QKD. Intuitively, 
we should get a similar optimal /i as given in Ref. [70], /i ~ r]/2. 

From Eq. (17.81) . we can see that the gain Q^j (j = 0, 1) is in the order of fir\. To keep 
Qi j0 or Qi i in Eq. (I7.14p positive, fi should be in the order of rj. By assuming fi, r\ and 
Y 0B are small, we can simplify Eq. (17.81) : 

E^ w E^o ps e d 

Qi,o + Qii ^w-f (B ' 5) 

t 1 r 

where Qf + Q[ x is the lower bound of <5i,o + Qi,i and ef is the upper bound of e± 
from Eq. (17.141) . Since the error rates from triggered (j = 1) and non-triggered (j = 0) 
detection events are the same, the key generation rate given by Eq. (I7.19P can be simplified 
to: 

R > q{-f(E^)Q^H 2 (E fl ) +Qi[l- H 2 { ei )\ + Qo} 
« q{-f(e d ) W H 2 (e d ) + ( W - /i 2 )[l - H 2 (^-)}} 

T]-fI 

By taking the derivative of R, the optimal fi = xrj satisfies: 

- f(e d )H 2 (e d ) + l-2x + e d \og 2 + (1 - e d - 2x) log 2 (l - -^-) = 0. (B.7) 

1 — x 1 — x 

Here if set e d = 0, then we get x = 1/2, which is compatible with Liikenthaus' result 
[70] . Note that x = 1/2 essentially maximizes the probability of the single photon source 
Qio+Qii in Eq. (IB.5I) . More precisely, we can solve Eq. (IB. 71) numerically, see Figure [B73l 
From Figure IB.3t we can see that the optimal /x for triggering PDC+non-decoy is 
fi = 0(r]), which will lead the final key generation rate R = 0(rf). 
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Figure B.3: Plot of the optimal \x in terms of e d for triggering PDC+non-decoy. Here, 
we use f(e d ) = 1.22. 

B.2.2 With decoy states 

With decoy states, Alice and Bob can estimate Qi and e\ better. Here, we consider the 
infinite decoy state case with threshold detectors. Under the assumption that rj and Yob 
are small, we can simplify Eqs. ( 17. 8ft and (17.91) : 



Qn,o + Q)i,i 

Qi,o + Qi,i ~ 



n,o ~ E^o « e d 



(B.8) 



ei « e d 



With these approximations, the key generation rate given in Eq. (17.191) can be sim 
plified to: 



R ~ q{-f(e d )r]fiH 2 (e d ) 
The optimal fi satisfies: 



(1+/^) 2 
l-fj, f(e d )H 2 (e d ) 



l-H 2 (e d )]}. 



;i + /x) 3 l-H 2 (e d ) 



B.9) 



(B.10) 
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Here, if set = 0, then we get fi = 1 with which the probability to getting a single 
photon state is maximized. The numerical result of Eq. (IB. 10p is shown in Figure IB. 41 




Figure B.4: Plot of the optimal /i in terms of for the triggering PDC+infmite decoy. 
Here, we use /(e^) = 1.22. 

From Figure \BA\ which is similar to the case coherent state QKD with decoy states 
|77j . one can see that the optimal \x is independent of channel loss rj for the infinite 
decoy state case with threshold detectors, i.e., fx = 0(1), which will lead the final key 
generation rate R = 0{rj). 

B.2.3 Numerical checking 

Now we would like to numerically compare the optimal \x with and without decoy states 
by simulating a recent PDC experiment |115j . with parameters listed in Table I7TT1 In 
the simulation, we numerically optimize /i for the key rate given by Eq. (17.131) for the 
non-decoy and infinite decoy methods. For this particular setup, the optimal /i is shown 
in Figure IB~5l 

From the figure, we can see that the optimal fi for the non-decoy case is in the order 
of 77, while the optimal fi for the infinite-decoy case is in the order of 1. This is consistent 
with the results of the analysis in the two previous subsections. 
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Figure B.5: Plot of the optimal /i in terms of optical loss for triggering PDC+non-decoy 
and triggering PDC+infmite-decoy. Here, we use q = 1/2 and /(-E^) = 1.22. Simulation 
parameters are listed in Table 17.11 

B.3 Entanglement PDC QKD 

The optimal /i for the coherent state QKD has already been discussed [701 EZJ- Here, 
we need to determine the optimal fi for the entanglement PDC QKD. In the following 
calculation, we will focus on optimizing the parameter A (= fi/2) for the key generation 
rate given in Eq. (18.101) . 

By assuming tjb to be small and neglecting Yq, we can simplify Eq. (18. 8ft : 

^"^-(TtSf 1 ' (B11) 



The overall QBER given in Eq. (18. 9p can be simplified to: 

1 (l-2e d )(l + A)(l + ry A A ) 

2 2(l + 3A + 3rMA 2 + ?^A 3 

In order to maximize the key generation rate given by Eq. (18.101) . the optimal A 
satisfies: 

^[1 - (1 + f(E x ))H 2 (E x )\ -Q x [l + f{E x )] d -^ log 2 = 0. (B.13) 
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Here, we treat f{E x ) as a constant. In the following, we will consider two extremes: 
7] a ~ 1 and rjA <C 1. 

When ~ 1, the overall gain and QBER are given by: 

Qx « 2r/ B A 

p 2e rf + A (B-14) 
A 2 + 2A 

Thus, Eq. ( IB.13j) can be simplified to: 

1 - [1 + f(E x )]H 2 (E x ) - A[l + /(^A)] 2 |~ + 2 ^ 2 log 2 = 0. (B.15) 

When 77^ <C 1, 

Qx « 2r/ A r/ B A(l + 3A) 

_ e d + A + e d A (B.16) 
1 + 3A 

Thus, Eq. ( IB. 131) can be simplified to: 

(1 + 6A){1 - [1 + f(E x )]H 2 (E x )} - A[l + /(£ A )]1Z^ l 0g2 1^* = 0. (B.17) 

The solutions to Eqs. flB.15j) and (IB . 1 T|) are shown in Figure IB. 61 

From Figure IB. 61 we can see that the optimal \i = 2A for the entanglement PDC is 
in the order of 1, \x = 2 A = 0(1), which will lead the final key generation rate to be 
R = 0(rj A fjB)- 
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Figure B.6: Plot of the optimal /i in terms of for the entanglement PDC QKD. 
f(e d ) = 1.22. 
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